Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2023, 17:43

General

  • Target

    2e8356dfe51bd0a98aadcbd170a6d777.exe

  • Size

    1.2MB

  • MD5

    2e8356dfe51bd0a98aadcbd170a6d777

  • SHA1

    4bd29d52517f4b14433ca5e911e277123968dbfb

  • SHA256

    e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

  • SHA512

    2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

  • SSDEEP

    24576:N3sTOPjpOgaRtddWpNs1e9fvz+iPRdz5nk86:OTScbRcp1nl

Score
10/10

Malware Config

Signatures

  • DcRat 59 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe
    "C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LY5L01moAk.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4400
        • C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe
          "C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"
          3⤵
          • Checks computer location settings
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Program Files (x86)\Microsoft\csrss.exe
            "C:\Program Files (x86)\Microsoft\csrss.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2844
                • C:\Program Files (x86)\Microsoft\csrss.exe
                  "C:\Program Files (x86)\Microsoft\csrss.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3396
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3948
                    • C:\Program Files (x86)\Microsoft\csrss.exe
                      "C:\Program Files (x86)\Microsoft\csrss.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2452
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4972
                        • C:\Program Files (x86)\Microsoft\csrss.exe
                          "C:\Program Files (x86)\Microsoft\csrss.exe"
                          10⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3684
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                            11⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2512
                            • C:\Program Files (x86)\Microsoft\csrss.exe
                              "C:\Program Files (x86)\Microsoft\csrss.exe"
                              12⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4824
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
                                13⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3144
                                • C:\Program Files (x86)\Microsoft\csrss.exe
                                  "C:\Program Files (x86)\Microsoft\csrss.exe"
                                  14⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:3908
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
                                    15⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1948
                                    • C:\Program Files (x86)\Microsoft\csrss.exe
                                      "C:\Program Files (x86)\Microsoft\csrss.exe"
                                      16⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2888
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
                                        17⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4928
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          18⤵
                                            PID:4608
                                          • C:\Program Files (x86)\Microsoft\csrss.exe
                                            "C:\Program Files (x86)\Microsoft\csrss.exe"
                                            18⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:3928
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
                                              19⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4768
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                20⤵
                                                  PID:1940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d777" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2232
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4824
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhostw.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4856
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3776
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\odt\Registry.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3908
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4720
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4392
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            1⤵
              PID:2324
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              1⤵
                PID:4916
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                1⤵
                  PID:3328
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  1⤵
                    PID:3472
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    1⤵
                      PID:1896

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files (x86)\Google\CrashReports\Idle.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Program Files (x86)\Microsoft\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            2e8356dfe51bd0a98aadcbd170a6d777

                            SHA1

                            4bd29d52517f4b14433ca5e911e277123968dbfb

                            SHA256

                            e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

                            SHA512

                            2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2e8356dfe51bd0a98aadcbd170a6d777.exe.log

                            Filesize

                            1KB

                            MD5

                            bbb951a34b516b66451218a3ec3b0ae1

                            SHA1

                            7393835a2476ae655916e0a9687eeaba3ee876e9

                            SHA256

                            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                            SHA512

                            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                            Filesize

                            1KB

                            MD5

                            9699cf9bb24ebbc9b1035710e92b7bd2

                            SHA1

                            73f0f26db57ea306970a76f42c647bbce02a3f23

                            SHA256

                            fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

                            SHA512

                            3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

                          • C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

                            Filesize

                            207B

                            MD5

                            4be080300b85da53ebb163336f4a6704

                            SHA1

                            d783baf9f6a36e0cf67c5bd136c3f119c959801d

                            SHA256

                            bf08946bbab8b20e2b2addb8d4a1a49619b9d77f4f5ef74ca6364181b3ca5933

                            SHA512

                            b7431c68d5a1d19d01d2aa9e80e26e632ebe8f9b34eb5f6262c76bc3a3beba2a1a5311a4f77465f93bc8c629cc7aa55eec68a6931b1d1a62b821beec37d5886f

                          • C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

                            Filesize

                            207B

                            MD5

                            4ac6f7c5402bd6b9910ded5e4a9b48b2

                            SHA1

                            35b28bd4418390fe9441dc4fd390c35d95b1f9cc

                            SHA256

                            4c44043b62b1db93f01a7b960d4018bbe981ef7affff01e9765c7bf2580acae3

                            SHA512

                            633ca9c281b9220585bf014a9aeec2c099b2421e63defdc49586fafab140aabd9940ce4cec8305a7cda958adf53a524a6b06fd5fc55807e2ec06d9db7fb0fb3e

                          • C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

                            Filesize

                            207B

                            MD5

                            d2c79b7656cc439ac4919e0763fcaf01

                            SHA1

                            4ccb601831808ea4dcd29bec1c91f1582103d889

                            SHA256

                            05c8d5bfb130e7306f98fcf0040e62269268f318d601ce004dee6194d1c7e2db

                            SHA512

                            b926a04a7881da26eed8d4136010de1af36108f2a5187698d877f3feb30a752c7bb014760aa4cc5c66118779e30685b7d560398781e959fee33f3af57c382f41

                          • C:\Users\Admin\AppData\Local\Temp\LY5L01moAk.bat

                            Filesize

                            235B

                            MD5

                            4f31d8885eede8073acf4a3ac753385e

                            SHA1

                            220a54c237bd4ca7875f450736e1af445267387f

                            SHA256

                            66be23fdfd17db2182e17bd9443a9172ff8d29fc02f0b4ffd65341d03b69ec53

                            SHA512

                            f180c04904980ef125f2f9b4ee3b8b67f36b3dda5323e1b24c59dc0c11ab42689db53026ec5e184092cbfcd0f45cb3595d7dd9e5001c9ac10f0985cb247fe65a

                          • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                            Filesize

                            207B

                            MD5

                            536519c09b01c51a80149c004f5cd76c

                            SHA1

                            82c0d604d68309c72f8559abcde65126c0b42282

                            SHA256

                            1b0a5574cd70d101632253ceb6ac0aaef6c9e63319bbed035d3476ae9f81560a

                            SHA512

                            21f0a42191b8b67903d9823c64679cc564c5d92ea9ed9e6b1ea06f626055feba3973514b86ad8929e50f031bf4d33094aacab3fb36b206b1232e62fef89ba487

                          • C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

                            Filesize

                            207B

                            MD5

                            28a1bf82b53399caeffc43087b8d7d18

                            SHA1

                            db72d3daa3fed839f66c218866b0b9277497f6d2

                            SHA256

                            7aa574b4f4f75cb399abb284f533d3a89c9fb3ec3bdf78e70af0124dd4e477a4

                            SHA512

                            0785ecdd2b121c5f4bdce7775fd06c8e795cff13d17c91541bb02c5eba87006cde290a33999f34690cdb0e4f38400ad42f37a80fc64753ce232227eb155b2746

                          • C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

                            Filesize

                            207B

                            MD5

                            7921b68d82f670b3fe1038b31cb94b41

                            SHA1

                            3015edc3c6c71cb66d180373d4eaa8b5a501416e

                            SHA256

                            c17a3af4f77b1284c9beca24b8c520901bd67b080005017181c0181ce26c6a1f

                            SHA512

                            f91df8f01e7e7e4faa3a1e7dab59039b6a9673ea760616ed71916dd4a66b5347d7693f803662e33c8a8d146447e1c1a33419f6ce939631f7a9779eae17f458b0

                          • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                            Filesize

                            207B

                            MD5

                            f459e8ea151c40d8f3a73f84c7d28b74

                            SHA1

                            5112610f15c70a9c7e7b9b92cb8f54fd61406434

                            SHA256

                            a75c973131d8a1a62a18a06e3c176987dce1d8d119e6f89be39f5b6c24394907

                            SHA512

                            a597fb516090f8598c926845722296b69a2cbaedb588d3dbf09be1e97e76cd92ee6b571a904b365349db14a7c7d2b77b929e183edba8891ef6a95436cc5b655e

                          • C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

                            Filesize

                            207B

                            MD5

                            03f5e9db0b73cd0132566699e8555b68

                            SHA1

                            68e34d41734218eec03a269e5a83af1fb9ae864a

                            SHA256

                            0fc671f200ad653b723d0f25dc16b844e5ce73fdf17df1fd6485532ecfa170cd

                            SHA512

                            19c1bcf9071f5ca41056c22653eda98aed52a2a5842b588c4ebdfd3d1d60918e1d946e016848e22bf230ecf2c63c1eefffdceaac30081e9c8be8b967ddeaf3b0

                          • memory/2452-94-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2452-88-0x0000000000BF0000-0x0000000000C02000-memory.dmp

                            Filesize

                            72KB

                          • memory/2452-87-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2888-120-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2888-126-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3212-7-0x000000001BE30000-0x000000001C358000-memory.dmp

                            Filesize

                            5.2MB

                          • memory/3212-3-0x0000000002660000-0x000000000267C000-memory.dmp

                            Filesize

                            112KB

                          • memory/3212-1-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3212-6-0x00000000026A0000-0x00000000026B2000-memory.dmp

                            Filesize

                            72KB

                          • memory/3212-2-0x000000001B290000-0x000000001B2A0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3212-18-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3212-4-0x0000000002800000-0x0000000002850000-memory.dmp

                            Filesize

                            320KB

                          • memory/3212-5-0x0000000002680000-0x0000000002696000-memory.dmp

                            Filesize

                            88KB

                          • memory/3212-0-0x0000000000330000-0x000000000046E000-memory.dmp

                            Filesize

                            1.2MB

                          • memory/3396-85-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-78-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-79-0x000000001AFF0000-0x000000001B002000-memory.dmp

                            Filesize

                            72KB

                          • memory/3684-102-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3684-96-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3908-112-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3908-118-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3928-128-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3928-134-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4124-74-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4124-68-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4824-110-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4824-104-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5080-67-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5080-22-0x0000000001330000-0x0000000001342000-memory.dmp

                            Filesize

                            72KB

                          • memory/5080-20-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5080-21-0x000000001B740000-0x000000001B750000-memory.dmp

                            Filesize

                            64KB