Overview

overview

10

Static

static

10

0ce8e2125c...fa.exe

windows7-x64

10

0ce8e2125c...fa.exe

windows10-2004-x64

10

0d08fd5994...a1.exe

windows7-x64

10

0d08fd5994...a1.exe

windows10-2004-x64

10

0d39a7ade0...a9.exe

windows7-x64

10

0d39a7ade0...a9.exe

windows10-2004-x64

10

0d7cbc8822...d3.exe

windows7-x64

10

0d7cbc8822...d3.exe

windows10-2004-x64

10

0da351d641...30.exe

windows7-x64

10

0da351d641...30.exe

windows10-2004-x64

10

0dcb9d68dd...81.exe

windows7-x64

10

0dcb9d68dd...81.exe

windows10-2004-x64

10

0de35a9720...08.exe

windows7-x64

3

0de35a9720...08.exe

windows10-2004-x64

3

0df2367bf9...81.exe

windows7-x64

10

0df2367bf9...81.exe

windows10-2004-x64

10

0df7144ed5...52.exe

windows7-x64

10

0df7144ed5...52.exe

windows10-2004-x64

10

0df97b99ca...e3.exe

windows7-x64

1

0df97b99ca...e3.exe

windows10-2004-x64

4

0e48a47f40...30.exe

windows7-x64

10

0e48a47f40...30.exe

windows10-2004-x64

10

0e820aad5e...54.exe

windows7-x64

10

0e820aad5e...54.exe

windows10-2004-x64

10

0ea0e36c70...d3.exe

windows7-x64

10

0ea0e36c70...d3.exe

windows10-2004-x64

10

0eb27c6385...3a.exe

windows7-x64

10

0eb27c6385...3a.exe

windows10-2004-x64

10

0ee8580c3e...ef.exe

windows7-x64

10

0ee8580c3e...ef.exe

windows10-2004-x64

10

0eed307263...f5.exe

windows7-x64

10

0eed307263...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d39a7ade0eaa19a185fc11508caeba9.exe

  • Size

    920KB

  • MD5

    0d39a7ade0eaa19a185fc11508caeba9

  • SHA1

    5083d9622465c43bc02a1edd71acd1d9ae75270c

  • SHA256

    51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

  • SHA512

    480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

  • SSDEEP

    12288:lANcYfRu9sAPayJk5cz9VBRmWAJXJmn72Rfc/G/BwG5vo5YTJRI1m2h47oJuzlZ4:lAbJwPa3YnGWnSR/uGuFQaRQj/

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 22 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe
    "C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3c4kdafJa.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3336
        • C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe
          "C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5960
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:4888
              • C:\Users\Default User\dllhost.exe
                "C:\Users\Default User\dllhost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Tvyktaskhostw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:2916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IY4Ataskhostw" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "UYtdtaskhostw" /sc ONSTART /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "E6CFsysmon" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "acTHsysmon" /sc ONLOGON /tr "'C:\Program Files\Crashpad\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ysKhsysmon" /sc ONSTART /tr "'C:\Program Files\Crashpad\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\sysmon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "eZhywininit" /sc MINUTE /mo 8 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cPzNwininit" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "phbmwininit" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc MINUTE /mo 8 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HfZ3RuntimeBroker" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "9kUIRuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "EKeRRuntimeBroker" /sc ONSTART /tr "'C:\ProgramData\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Desktop\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "womfTextInputHost" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:6136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "H8GOTextInputHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "JXjYTextInputHost" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ezgnRuntimeBroker" /sc MINUTE /mo 11 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5104
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "qOwXRuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "QTbCRuntimeBroker" /sc ONSTART /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 8 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "nHoSdllhost" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "aGLpdllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "UXTEdllhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:2348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TU0WSppExtComObj" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "PY2MSppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "XpC0SppExtComObj" /sc ONSTART /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b5aKcsrss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "2ifQcsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "oDdLcsrss" /sc ONSTART /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Go8TbackgroundTaskHost" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "w5mTbackgroundTaskHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SotCbackgroundTaskHost" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 6 /tr "'C:\7330c8a20692d0b35002ea5a\backgroundTaskHost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "PKFtdllhost" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "oZMTdllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dr2Adllhost" /sc ONSTART /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:5756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ExMbspoolsv" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SQUvspoolsv" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "67o3spoolsv" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "71TG0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "5gFl0d39a7ade0eaa19a185fc11508caeba9" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:6044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ykyI0d39a7ade0eaa19a185fc11508caeba9" /sc ONSTART /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\0d39a7ade0eaa19a185fc11508caeba9.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1mzZfontdrvhost" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:6100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "W4xjfontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "UUamfontdrvhost" /sc ONSTART /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wQpcWmiPrvSE" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4636_1843666867\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "pHP9WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4636_1843666867\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "tHuMWmiPrvSE" /sc ONSTART /tr "'C:\Program Files\edge_BITS_4636_1843666867\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4636_1843666867\WmiPrvSE.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "YKiLsmss" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ZkeAsmss" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cRMOsmss" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "us9Ydllhost" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "kxJodllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:1808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "n42vdllhost" /sc ONSTART /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:1688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\dllhost.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:5292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "LP39fontdrvhost" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "9Mtlfontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DikOfontdrvhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        PID:4396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "x32CSystem" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
        1⤵
          PID:1984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "tCkpSystem" /sc ONLOGON /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Scheduled Task/Job: Scheduled Task
          PID:1928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "g0xuSystem" /sc ONSTART /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\System.exe'" /f
          1⤵
            PID:4528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "vWIBbackgroundTaskHost" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "mB3IbackgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            PID:5632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sjyNbackgroundTaskHost" /sc ONSTART /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            PID:5516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:3816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NaeKRuntimeBroker" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2396
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fWKoRuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:5680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "5GbNRuntimeBroker" /sc ONSTART /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:5980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "1WVfRuntimeBroker" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "x7GHRuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "ldXERuntimeBroker" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2608
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:6052

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\regid.1991-06.com.microsoft\wininit.exe
            Filesize

            920KB

            MD5

            8a0baa5ffe1505f4379b057bcdffb5c8

            SHA1

            d714b777cdbbe8a0841af7893f2bc040a5590e35

            SHA256

            655ffff258f8126912ff24b3bf91aed64d6b46b0759e762b1b0179ea3ba75ea2

            SHA512

            7fab7fd5b3ed3542c03d148f11b973e9774001d8ff1d2edc5fabe060990ea796481b2e8bebaf1bb270de1e80727428527ec5e5ad544f9394b8bb09d652176d4c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0d39a7ade0eaa19a185fc11508caeba9.exe.log
            Filesize

            1KB

            MD5

            bbb951a34b516b66451218a3ec3b0ae1

            SHA1

            7393835a2476ae655916e0a9687eeaba3ee876e9

            SHA256

            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

            SHA512

            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RCXCE8C.tmp
            Filesize

            920KB

            MD5

            0d39a7ade0eaa19a185fc11508caeba9

            SHA1

            5083d9622465c43bc02a1edd71acd1d9ae75270c

            SHA256

            51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

            SHA512

            480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat
            Filesize

            197B

            MD5

            af5e9a20b8b6a3914a998a412401b578

            SHA1

            bc82df1efbacaab2f43fd82799127c15eda143e9

            SHA256

            9317a47ed3754a9d50b65c2f64c3afb9dc65c09f27f85305802e447a122da278

            SHA512

            c85855c38226e6382e155cb06e2b189f3b3a192c284b53378f387bde23a746b868da1204f44add3c56a4686a1dff7c3a5a611eb37cf28cb0576d722426dfbe36

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f3c4kdafJa.bat
            Filesize

            234B

            MD5

            9828d302292ba105c44f46d02ba54069

            SHA1

            ebf72deaae83e9cbd9cd422685786b0c07aac8ec

            SHA256

            7943a4ddfa4bef94a738b625b73022c6e75e9870372eae88869a83b88e47e3b9

            SHA512

            b8355741d8ecb4be41f4d56a05a5688f5a93bb7d04cac5a5e5eb69934676a26f48fd1d24df43a0e2d6e58b310009b531535496e78bf2bdb77bee24d149613525

            Download Submit

          • memory/1244-4-0x000000001B810000-0x000000001B860000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1244-5-0x0000000000F10000-0x0000000000F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1244-7-0x000000001B1C0000-0x000000001B1D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1244-8-0x000000001BFE0000-0x000000001C508000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1244-9-0x000000001B290000-0x000000001B29C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1244-10-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1244-11-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1244-6-0x0000000000F20000-0x0000000000F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1244-0-0x00007FFB95953000-0x00007FFB95955000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1244-76-0x00007FFB95950000-0x00007FFB96411000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1244-3-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1244-2-0x00007FFB95950000-0x00007FFB96411000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1244-1-0x0000000000540000-0x000000000062C000-memory.dmp

            Filesize

            944KB

            Download

          • memory/2392-80-0x0000000002FA0000-0x0000000002FB2000-memory.dmp

            Filesize

            72KB

            Download