Analysis

  • max time kernel
    117s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 00:06

General

  • Target

    3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe

  • Size

    2.0MB

  • MD5

    9b57b45ad1b718ed5e83fb62a8b726c3

  • SHA1

    25e29ba21022424a4d74f2d184238f288a788f32

  • SHA256

    3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032

  • SHA512

    f9b439d71536513bd8a190774cd4c3c6a5729ecf54f5f70e7abbbffde54485188998c3537b5955f98dac4a390742bfddf2b4ef6f257729e46565bcf862de3209

  • SSDEEP

    24576:JB432G/nvxW3Ww0tLXA/ZohBQTRtWpekBST0Z3jJWOyFFgU91cD0knE4BTi:QbA30DDhBQNxkk0pljyF2U911qi

Score
10/10

Malware Config

Signatures

  • DcRat 62 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
    "C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\fontintosessionsvc\bridgeWebdll.exe
            "C:\fontintosessionsvc\bridgeWebdll.exe"
            5⤵
            • DcRat
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\fontintosessionsvc\bridgeWebdll.exe
              "C:\fontintosessionsvc\bridgeWebdll.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:328
              • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe
                "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:364
    • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
      "C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"
      2⤵
      • Executes dropped EXE
      PID:2260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RakLaunchR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RakLaunch" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RakLaunchR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\fontintosessionsvc\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1440
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\fontintosessionsvc\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\sppsvc.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\cmd.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\fontintosessionsvc\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\fontintosessionsvc\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\fontintosessionsvc\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2648
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

          Filesize

          1.5MB

          MD5

          8548cc870e74723070353d67d1df6cba

          SHA1

          1e51a150d92378cecb1c60ffb4715da8838d9fa4

          SHA256

          37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

          SHA512

          c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

        • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

          Filesize

          1.5MB

          MD5

          8548cc870e74723070353d67d1df6cba

          SHA1

          1e51a150d92378cecb1c60ffb4715da8838d9fa4

          SHA256

          37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

          SHA512

          c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

        • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

          Filesize

          336KB

          MD5

          73809a6768903e090178f10eb46ff2c1

          SHA1

          8449c27be4b36b4066996b50b9b3d6078a4f736c

          SHA256

          0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

          SHA512

          dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

        • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

          Filesize

          336KB

          MD5

          73809a6768903e090178f10eb46ff2c1

          SHA1

          8449c27be4b36b4066996b50b9b3d6078a4f736c

          SHA256

          0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

          SHA512

          dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

        • C:\fontintosessionsvc\AtbmE4.vbe

          Filesize

          218B

          MD5

          bfc4c3394520c5407a7a70e99743ca72

          SHA1

          e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17

          SHA256

          c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d

          SHA512

          2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

        • C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

          Filesize

          40B

          MD5

          72fa4f55254901b819a5996d5eff7bcb

          SHA1

          950f1b3bf5a55a2d88fce41b03a3b5ab079d716d

          SHA256

          962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0

          SHA512

          c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

        • C:\fontintosessionsvc\bridgeWebdll.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • C:\fontintosessionsvc\bridgeWebdll.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • C:\fontintosessionsvc\bridgeWebdll.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

          Filesize

          1.5MB

          MD5

          8548cc870e74723070353d67d1df6cba

          SHA1

          1e51a150d92378cecb1c60ffb4715da8838d9fa4

          SHA256

          37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

          SHA512

          c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

        • \Users\Admin\AppData\Local\Temp\RakLaunch.exe

          Filesize

          336KB

          MD5

          73809a6768903e090178f10eb46ff2c1

          SHA1

          8449c27be4b36b4066996b50b9b3d6078a4f736c

          SHA256

          0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

          SHA512

          dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

        • \fontintosessionsvc\bridgeWebdll.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • \fontintosessionsvc\bridgeWebdll.exe

          Filesize

          1.2MB

          MD5

          d241d05d6cc53887772cc12e93759c50

          SHA1

          e13109e21acd264714539f7f3c9b7f0ff44d0211

          SHA256

          8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

          SHA512

          eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

        • memory/328-45-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/328-85-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/328-46-0x000000001B040000-0x000000001B0C0000-memory.dmp

          Filesize

          512KB

        • memory/364-88-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/364-87-0x000000001B080000-0x000000001B100000-memory.dmp

          Filesize

          512KB

        • memory/364-84-0x0000000000310000-0x0000000000442000-memory.dmp

          Filesize

          1.2MB

        • memory/364-86-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2520-12-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

        • memory/2756-30-0x0000000000F90000-0x0000000001010000-memory.dmp

          Filesize

          512KB

        • memory/2756-28-0x0000000001010000-0x0000000001142000-memory.dmp

          Filesize

          1.2MB

        • memory/2756-47-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2756-29-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2756-32-0x0000000000370000-0x0000000000386000-memory.dmp

          Filesize

          88KB

        • memory/2756-31-0x0000000000350000-0x000000000036C000-memory.dmp

          Filesize

          112KB

        • memory/2756-33-0x0000000000620000-0x000000000062C000-memory.dmp

          Filesize

          48KB