Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 17:43
Behavioral task
behavioral1
Sample
2e8356dfe51bd0a98aadcbd170a6d777.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
2e8356dfe51bd0a98aadcbd170a6d777.exe
Resource
win10v2004-20231130-en
General
-
Target
2e8356dfe51bd0a98aadcbd170a6d777.exe
-
Size
1.2MB
-
MD5
2e8356dfe51bd0a98aadcbd170a6d777
-
SHA1
4bd29d52517f4b14433ca5e911e277123968dbfb
-
SHA256
e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
-
SHA512
2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
SSDEEP
24576:N3sTOPjpOgaRtddWpNs1e9fvz+iPRdz5nk86:OTScbRcp1nl
Malware Config
Signatures
-
DcRat 59 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3712 schtasks.exe 4520 schtasks.exe 1876 schtasks.exe 5028 schtasks.exe 3488 schtasks.exe 4628 schtasks.exe 556 schtasks.exe 4476 schtasks.exe 1552 schtasks.exe 2928 schtasks.exe 4720 schtasks.exe File created C:\Program Files (x86)\MSBuild\Microsoft\f363630c424400 2e8356dfe51bd0a98aadcbd170a6d777.exe 212 schtasks.exe 2848 schtasks.exe 468 schtasks.exe 3656 schtasks.exe 3908 schtasks.exe 1788 schtasks.exe 1440 schtasks.exe 1500 schtasks.exe 4068 schtasks.exe 2020 schtasks.exe 3252 schtasks.exe 1952 schtasks.exe 2884 schtasks.exe 4048 schtasks.exe 3076 schtasks.exe 4824 schtasks.exe 4392 schtasks.exe 228 schtasks.exe 2232 schtasks.exe 4988 schtasks.exe 4348 schtasks.exe 4832 schtasks.exe 1252 schtasks.exe 3832 schtasks.exe File created C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088 2e8356dfe51bd0a98aadcbd170a6d777.exe 2116 schtasks.exe 1384 schtasks.exe 4460 schtasks.exe 1184 schtasks.exe 4964 schtasks.exe 1920 schtasks.exe 4804 schtasks.exe 3776 schtasks.exe 2992 schtasks.exe 3636 schtasks.exe 3140 schtasks.exe 3844 schtasks.exe 4444 schtasks.exe 4296 schtasks.exe 2016 schtasks.exe 1596 schtasks.exe 3780 schtasks.exe 5100 schtasks.exe 4856 schtasks.exe 3928 schtasks.exe 1520 schtasks.exe 3804 schtasks.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3832 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 3676 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 3676 schtasks.exe 87 -
resource yara_rule behavioral2/memory/3212-0-0x0000000000330000-0x000000000046E000-memory.dmp dcrat behavioral2/files/0x0006000000023200-27.dat dcrat behavioral2/files/0x0006000000023207-65.dat dcrat behavioral2/files/0x0006000000023207-66.dat dcrat behavioral2/files/0x0006000000023207-76.dat dcrat behavioral2/files/0x0006000000023207-86.dat dcrat behavioral2/files/0x0006000000023207-95.dat dcrat behavioral2/files/0x0006000000023207-103.dat dcrat behavioral2/files/0x0006000000023207-111.dat dcrat behavioral2/files/0x0006000000023207-119.dat dcrat behavioral2/files/0x0006000000023207-127.dat dcrat -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation 2e8356dfe51bd0a98aadcbd170a6d777.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation 2e8356dfe51bd0a98aadcbd170a6d777.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 8 IoCs
pid Process 4124 csrss.exe 3396 csrss.exe 2452 csrss.exe 3684 csrss.exe 4824 csrss.exe 3908 csrss.exe 2888 csrss.exe 3928 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\5940a34987c991 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Google\CrashReports\Idle.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft\886983d96e3d3e 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files\Windows Mail\5b884080fd4f94 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft.NET\5940a34987c991 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files\Windows Portable Devices\dllhost.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft\csrss.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft.NET\dllhost.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\MSBuild\Microsoft\f363630c424400 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\ee2ad38f3d4382 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files (x86)\Microsoft.NET\explorer.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Program Files\Windows Mail\fontdrvhost.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\explorer.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\apppatch\ja-JP\SppExtComObj.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Windows\apppatch\ja-JP\e1ef82546f0b02 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Windows\Vss\Writers\System\55b276f4edf653 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Windows\IdentityCRL\unsecapp.exe 2e8356dfe51bd0a98aadcbd170a6d777.exe File created C:\Windows\IdentityCRL\29c1c3cc0f7685 2e8356dfe51bd0a98aadcbd170a6d777.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4720 schtasks.exe 3712 schtasks.exe 3636 schtasks.exe 4476 schtasks.exe 4348 schtasks.exe 4628 schtasks.exe 1876 schtasks.exe 3140 schtasks.exe 3780 schtasks.exe 3844 schtasks.exe 4964 schtasks.exe 5100 schtasks.exe 2992 schtasks.exe 4824 schtasks.exe 3928 schtasks.exe 1788 schtasks.exe 2020 schtasks.exe 4988 schtasks.exe 3804 schtasks.exe 5028 schtasks.exe 1440 schtasks.exe 2116 schtasks.exe 1384 schtasks.exe 1252 schtasks.exe 2928 schtasks.exe 4804 schtasks.exe 4520 schtasks.exe 4048 schtasks.exe 556 schtasks.exe 1552 schtasks.exe 1500 schtasks.exe 4296 schtasks.exe 4444 schtasks.exe 1184 schtasks.exe 4856 schtasks.exe 2016 schtasks.exe 212 schtasks.exe 3252 schtasks.exe 4832 schtasks.exe 1596 schtasks.exe 3656 schtasks.exe 3776 schtasks.exe 4068 schtasks.exe 2848 schtasks.exe 3488 schtasks.exe 4460 schtasks.exe 1520 schtasks.exe 468 schtasks.exe 3832 schtasks.exe 3908 schtasks.exe 1920 schtasks.exe 2884 schtasks.exe 4392 schtasks.exe 228 schtasks.exe 3076 schtasks.exe 1952 schtasks.exe 2232 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings 2e8356dfe51bd0a98aadcbd170a6d777.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings csrss.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 4124 csrss.exe 3396 csrss.exe 2452 csrss.exe 3684 csrss.exe 4824 csrss.exe 3908 csrss.exe 2888 csrss.exe 3928 csrss.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe Token: SeDebugPrivilege 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe Token: SeDebugPrivilege 4124 csrss.exe Token: SeDebugPrivilege 3396 csrss.exe Token: SeDebugPrivilege 2452 csrss.exe Token: SeDebugPrivilege 3684 csrss.exe Token: SeDebugPrivilege 4824 csrss.exe Token: SeDebugPrivilege 3908 csrss.exe Token: SeDebugPrivilege 2888 csrss.exe Token: SeDebugPrivilege 3928 csrss.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4596 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe 96 PID 3212 wrote to memory of 4596 3212 2e8356dfe51bd0a98aadcbd170a6d777.exe 96 PID 4596 wrote to memory of 4400 4596 cmd.exe 97 PID 4596 wrote to memory of 4400 4596 cmd.exe 97 PID 4596 wrote to memory of 5080 4596 cmd.exe 98 PID 4596 wrote to memory of 5080 4596 cmd.exe 98 PID 5080 wrote to memory of 4124 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 150 PID 5080 wrote to memory of 4124 5080 2e8356dfe51bd0a98aadcbd170a6d777.exe 150 PID 4124 wrote to memory of 2068 4124 csrss.exe 151 PID 4124 wrote to memory of 2068 4124 csrss.exe 151 PID 2068 wrote to memory of 2844 2068 cmd.exe 153 PID 2068 wrote to memory of 2844 2068 cmd.exe 153 PID 2068 wrote to memory of 3396 2068 cmd.exe 155 PID 2068 wrote to memory of 3396 2068 cmd.exe 155 PID 3396 wrote to memory of 3948 3396 csrss.exe 158 PID 3396 wrote to memory of 3948 3396 csrss.exe 158 PID 3948 wrote to memory of 2324 3948 cmd.exe 156 PID 3948 wrote to memory of 2324 3948 cmd.exe 156 PID 3948 wrote to memory of 2452 3948 cmd.exe 159 PID 3948 wrote to memory of 2452 3948 cmd.exe 159 PID 2452 wrote to memory of 4972 2452 csrss.exe 162 PID 2452 wrote to memory of 4972 2452 csrss.exe 162 PID 4972 wrote to memory of 4916 4972 cmd.exe 160 PID 4972 wrote to memory of 4916 4972 cmd.exe 160 PID 4972 wrote to memory of 3684 4972 cmd.exe 163 PID 4972 wrote to memory of 3684 4972 cmd.exe 163 PID 3684 wrote to memory of 2512 3684 csrss.exe 166 PID 3684 wrote to memory of 2512 3684 csrss.exe 166 PID 2512 wrote to memory of 3328 2512 cmd.exe 164 PID 2512 wrote to memory of 3328 2512 cmd.exe 164 PID 2512 wrote to memory of 4824 2512 cmd.exe 167 PID 2512 wrote to memory of 4824 2512 cmd.exe 167 PID 4824 wrote to memory of 3144 4824 csrss.exe 171 PID 4824 wrote to memory of 3144 4824 csrss.exe 171 PID 3144 wrote to memory of 3472 3144 cmd.exe 169 PID 3144 wrote to memory of 3472 3144 cmd.exe 169 PID 3144 wrote to memory of 3908 3144 cmd.exe 172 PID 3144 wrote to memory of 3908 3144 cmd.exe 172 PID 3908 wrote to memory of 1948 3908 csrss.exe 175 PID 3908 wrote to memory of 1948 3908 csrss.exe 175 PID 1948 wrote to memory of 1896 1948 cmd.exe 173 PID 1948 wrote to memory of 1896 1948 cmd.exe 173 PID 1948 wrote to memory of 2888 1948 cmd.exe 176 PID 1948 wrote to memory of 2888 1948 cmd.exe 176 PID 2888 wrote to memory of 4928 2888 csrss.exe 182 PID 2888 wrote to memory of 4928 2888 csrss.exe 182 PID 4928 wrote to memory of 4608 4928 cmd.exe 183 PID 4928 wrote to memory of 4608 4928 cmd.exe 183 PID 4928 wrote to memory of 3928 4928 cmd.exe 184 PID 4928 wrote to memory of 3928 4928 cmd.exe 184 PID 3928 wrote to memory of 4768 3928 csrss.exe 185 PID 3928 wrote to memory of 4768 3928 csrss.exe 185 PID 4768 wrote to memory of 1940 4768 cmd.exe 187 PID 4768 wrote to memory of 1940 4768 cmd.exe 187 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LY5L01moAk.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\csrss.exe"C:\Program Files (x86)\Microsoft\csrss.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d777" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\odt\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:2324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:4916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1.2MB
MD52e8356dfe51bd0a98aadcbd170a6d777
SHA14bd29d52517f4b14433ca5e911e277123968dbfb
SHA256e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA5122615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef
-
Filesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
Filesize
207B
MD54be080300b85da53ebb163336f4a6704
SHA1d783baf9f6a36e0cf67c5bd136c3f119c959801d
SHA256bf08946bbab8b20e2b2addb8d4a1a49619b9d77f4f5ef74ca6364181b3ca5933
SHA512b7431c68d5a1d19d01d2aa9e80e26e632ebe8f9b34eb5f6262c76bc3a3beba2a1a5311a4f77465f93bc8c629cc7aa55eec68a6931b1d1a62b821beec37d5886f
-
Filesize
207B
MD54ac6f7c5402bd6b9910ded5e4a9b48b2
SHA135b28bd4418390fe9441dc4fd390c35d95b1f9cc
SHA2564c44043b62b1db93f01a7b960d4018bbe981ef7affff01e9765c7bf2580acae3
SHA512633ca9c281b9220585bf014a9aeec2c099b2421e63defdc49586fafab140aabd9940ce4cec8305a7cda958adf53a524a6b06fd5fc55807e2ec06d9db7fb0fb3e
-
Filesize
207B
MD5d2c79b7656cc439ac4919e0763fcaf01
SHA14ccb601831808ea4dcd29bec1c91f1582103d889
SHA25605c8d5bfb130e7306f98fcf0040e62269268f318d601ce004dee6194d1c7e2db
SHA512b926a04a7881da26eed8d4136010de1af36108f2a5187698d877f3feb30a752c7bb014760aa4cc5c66118779e30685b7d560398781e959fee33f3af57c382f41
-
Filesize
235B
MD54f31d8885eede8073acf4a3ac753385e
SHA1220a54c237bd4ca7875f450736e1af445267387f
SHA25666be23fdfd17db2182e17bd9443a9172ff8d29fc02f0b4ffd65341d03b69ec53
SHA512f180c04904980ef125f2f9b4ee3b8b67f36b3dda5323e1b24c59dc0c11ab42689db53026ec5e184092cbfcd0f45cb3595d7dd9e5001c9ac10f0985cb247fe65a
-
Filesize
207B
MD5536519c09b01c51a80149c004f5cd76c
SHA182c0d604d68309c72f8559abcde65126c0b42282
SHA2561b0a5574cd70d101632253ceb6ac0aaef6c9e63319bbed035d3476ae9f81560a
SHA51221f0a42191b8b67903d9823c64679cc564c5d92ea9ed9e6b1ea06f626055feba3973514b86ad8929e50f031bf4d33094aacab3fb36b206b1232e62fef89ba487
-
Filesize
207B
MD528a1bf82b53399caeffc43087b8d7d18
SHA1db72d3daa3fed839f66c218866b0b9277497f6d2
SHA2567aa574b4f4f75cb399abb284f533d3a89c9fb3ec3bdf78e70af0124dd4e477a4
SHA5120785ecdd2b121c5f4bdce7775fd06c8e795cff13d17c91541bb02c5eba87006cde290a33999f34690cdb0e4f38400ad42f37a80fc64753ce232227eb155b2746
-
Filesize
207B
MD57921b68d82f670b3fe1038b31cb94b41
SHA13015edc3c6c71cb66d180373d4eaa8b5a501416e
SHA256c17a3af4f77b1284c9beca24b8c520901bd67b080005017181c0181ce26c6a1f
SHA512f91df8f01e7e7e4faa3a1e7dab59039b6a9673ea760616ed71916dd4a66b5347d7693f803662e33c8a8d146447e1c1a33419f6ce939631f7a9779eae17f458b0
-
Filesize
207B
MD5f459e8ea151c40d8f3a73f84c7d28b74
SHA15112610f15c70a9c7e7b9b92cb8f54fd61406434
SHA256a75c973131d8a1a62a18a06e3c176987dce1d8d119e6f89be39f5b6c24394907
SHA512a597fb516090f8598c926845722296b69a2cbaedb588d3dbf09be1e97e76cd92ee6b571a904b365349db14a7c7d2b77b929e183edba8891ef6a95436cc5b655e
-
Filesize
207B
MD503f5e9db0b73cd0132566699e8555b68
SHA168e34d41734218eec03a269e5a83af1fb9ae864a
SHA2560fc671f200ad653b723d0f25dc16b844e5ce73fdf17df1fd6485532ecfa170cd
SHA51219c1bcf9071f5ca41056c22653eda98aed52a2a5842b588c4ebdfd3d1d60918e1d946e016848e22bf230ecf2c63c1eefffdceaac30081e9c8be8b967ddeaf3b0