Overview

overview

10

Static

static

10

23d198a026...e9.exe

windows7-x64

10

23d198a026...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2023 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23d198a026b63a54cc9b075bf55c74e9.exe

  • Size

    2.5MB

  • MD5

    23d198a026b63a54cc9b075bf55c74e9

  • SHA1

    4bb16c2f73d12358131f23eae50d8b0230f11589

  • SHA256

    fbc8543307c9e9be3f3acb9a8804365fb269e4c10b7cc130e2ffd857515af04a

  • SHA512

    3c4860b1a8f5eee837f156237bc542a8b9bd5dac9963fa09c5d4d6109e263e643c648da0e6be02449a192b87fbed5012d73f40a606f4fe22a3eb68e6ffc21d90

  • SSDEEP

    49152:SSg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:NfkOqGhhtn9+nmJm9LcBCXvJ

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 60 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 20 IoCs
    persistence
  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 40 IoCs
    persistence
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23d198a026b63a54cc9b075bf55c74e9.exe
    "C:\Users\Admin\AppData\Local\Temp\23d198a026b63a54cc9b075bf55c74e9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
        PID:1284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
          PID:1648
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
          2⤵
            PID:1876
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLyJnF7XrG.bat"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              3⤵
                PID:2120
              • C:\Users\Admin\AppData\Local\Temp\23d198a026b63a54cc9b075bf55c74e9.exe
                "C:\Users\Admin\AppData\Local\Temp\23d198a026b63a54cc9b075bf55c74e9.exe"
                3⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1524
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsass.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:828
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2356
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2412
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\fr-FR\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2608
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2720
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2828
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\ja-JP\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1716
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\ja-JP\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1612
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2156
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1256
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "23d198a026b63a54cc9b075bf55c74e92" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\23d198a026b63a54cc9b075bf55c74e9.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "23d198a026b63a54cc9b075bf55c74e9" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\23d198a026b63a54cc9b075bf55c74e9.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "23d198a026b63a54cc9b075bf55c74e92" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\23d198a026b63a54cc9b075bf55c74e9.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\powershell.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Music\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2604

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\23d198a026b63a54cc9b075bf55c74e9.exe
            Filesize

            2.5MB

            MD5

            23d198a026b63a54cc9b075bf55c74e9

            SHA1

            4bb16c2f73d12358131f23eae50d8b0230f11589

            SHA256

            fbc8543307c9e9be3f3acb9a8804365fb269e4c10b7cc130e2ffd857515af04a

            SHA512

            3c4860b1a8f5eee837f156237bc542a8b9bd5dac9963fa09c5d4d6109e263e643c648da0e6be02449a192b87fbed5012d73f40a606f4fe22a3eb68e6ffc21d90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tLyJnF7XrG.bat
            Filesize

            235B

            MD5

            cc4e1afbda4bd859631e680b3842d0ac

            SHA1

            787aa62bf370c67f588aa294ae9d2fa249adb3c1

            SHA256

            e6a54e86cc907bbdaf53f054bb063f4e718ccf54ec45804367aa242d86929b9e

            SHA512

            f5c98190f94763d7d3f0652298ba3ebd014f7f58242666309a251e3a85edfee9a94deabf6e35108a97f970ead15d246dbdfc4d6e4c5819d0f95ed1e720995468

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3dc1e61d1a85414034cc0ab0669c5969

            SHA1

            fb18c1fb95f6947bbf22618f19de0462f2ffa709

            SHA256

            0453d0a0fe48218143294c745ad5a15a424b1c134f4a6e0d75729cc80a210724

            SHA512

            fc117079860a4f98d15ef7baf890174b466e05fcd7e45fe59795ea42b8bda32327fa379ccb6d1cf3c523ba731b3a79fcfe8c5a9ed8eca2d499b085d79dc8f994

            Download Submit

          • memory/280-92-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/280-138-0x0000000002264000-0x0000000002267000-memory.dmp

            Filesize

            12KB

            Download

          • memory/280-124-0x0000000002264000-0x0000000002267000-memory.dmp

            Filesize

            12KB

            Download

          • memory/280-126-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/280-143-0x000000000226B000-0x000000000228A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/280-68-0x0000000000000000-mapping.dmp

            Download

          • memory/280-129-0x000000001B710000-0x000000001BA0F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/280-77-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/432-140-0x00000000028E4000-0x00000000028E7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/432-112-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/432-69-0x0000000000000000-mapping.dmp

            Download

          • memory/432-118-0x00000000028E4000-0x00000000028E7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/432-89-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/432-147-0x00000000028EB000-0x000000000290A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/688-146-0x00000000026BB000-0x00000000026DA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/688-144-0x00000000026B4000-0x00000000026B7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/688-130-0x000000001B750000-0x000000001BA4F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/688-115-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/688-73-0x0000000000000000-mapping.dmp

            Download

          • memory/688-123-0x00000000026B4000-0x00000000026B7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/688-98-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/864-57-0x00000000003F0000-0x0000000000400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/864-60-0x0000000000420000-0x0000000000432000-memory.dmp

            Filesize

            72KB

            Download

          • memory/864-55-0x0000000000240000-0x000000000024E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/864-54-0x0000000000880000-0x0000000000B0E000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/864-63-0x0000000000860000-0x0000000000868000-memory.dmp

            Filesize

            32KB

            Download

          • memory/864-64-0x0000000000870000-0x0000000000878000-memory.dmp

            Filesize

            32KB

            Download

          • memory/864-61-0x0000000000430000-0x000000000043A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/864-65-0x0000000002230000-0x000000000223C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/864-62-0x0000000000850000-0x000000000085E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/864-56-0x0000000000250000-0x000000000026C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/864-58-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/864-59-0x00000000022B0000-0x0000000002306000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1008-76-0x0000000000000000-mapping.dmp

            Download

          • memory/1008-95-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1008-127-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1008-122-0x0000000002754000-0x0000000002757000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1008-139-0x0000000002754000-0x0000000002757000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1008-145-0x000000000275B000-0x000000000277A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1008-132-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1284-71-0x0000000000000000-mapping.dmp

            Download

          • memory/1324-117-0x00000000023D4000-0x00000000023D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1324-72-0x0000000000000000-mapping.dmp

            Download

          • memory/1324-148-0x00000000023DB000-0x00000000023FA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1324-102-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1324-141-0x00000000023D4000-0x00000000023D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1324-111-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1384-100-0x0000000000000000-mapping.dmp

            Download

          • memory/1568-142-0x00000000027C4000-0x00000000027C7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1568-110-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1568-106-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1568-149-0x00000000027CB000-0x00000000027EA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1568-114-0x00000000027C4000-0x00000000027C7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1568-70-0x0000000000000000-mapping.dmp

            Download

          • memory/1648-78-0x0000000000000000-mapping.dmp

            Download

          • memory/1668-153-0x00000000024D4000-0x00000000024D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1668-116-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1668-150-0x00000000024DB000-0x00000000024FA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1668-67-0x0000000000000000-mapping.dmp

            Download

          • memory/1668-119-0x00000000024D4000-0x00000000024D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1668-99-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1668-152-0x00000000024DB000-0x00000000024FA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1668-134-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1848-131-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1848-137-0x000000000283B000-0x000000000285A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1848-136-0x0000000002834000-0x0000000002837000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1848-74-0x0000000000000000-mapping.dmp

            Download

          • memory/1848-128-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1848-121-0x0000000002834000-0x0000000002837000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1848-94-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1876-75-0x0000000000000000-mapping.dmp

            Download

          • memory/1960-96-0x000007FEEB3C0000-0x000007FEEBDE3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1960-120-0x00000000026C4000-0x00000000026C7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1960-125-0x000007FEE9FD0000-0x000007FEEAB2D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1960-133-0x000000001B820000-0x000000001BB1F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1960-151-0x00000000026CB000-0x00000000026EA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1960-66-0x0000000000000000-mapping.dmp

            Download

          • memory/1960-154-0x00000000026CB000-0x00000000026EA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1960-155-0x00000000026C4000-0x00000000026C7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2120-105-0x0000000000000000-mapping.dmp

            Download

          • memory/2176-113-0x00000000005B0000-0x00000000005C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2176-109-0x0000000001350000-0x00000000015DE000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/2176-107-0x0000000000000000-mapping.dmp

            Download