Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 13:36
Behavioral task
behavioral1
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win10v2004-20240226-en
General
-
Target
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat 60 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2672 schtasks.exe 2676 schtasks.exe 1196 schtasks.exe 1328 schtasks.exe 2056 schtasks.exe 2668 schtasks.exe 1516 schtasks.exe 2100 schtasks.exe 1792 schtasks.exe 2936 schtasks.exe 2788 schtasks.exe 1892 schtasks.exe 1036 schtasks.exe 3060 schtasks.exe 2280 schtasks.exe 1924 schtasks.exe 584 schtasks.exe 2876 schtasks.exe 2028 schtasks.exe 2872 schtasks.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\6203df4a6bafc7 hostnet.exe 2140 schtasks.exe 1944 schtasks.exe 2356 schtasks.exe 628 schtasks.exe 2980 schtasks.exe 2552 schtasks.exe 2760 schtasks.exe 2244 schtasks.exe 1416 schtasks.exe 2008 schtasks.exe 2072 schtasks.exe 1980 schtasks.exe 1260 schtasks.exe 2932 schtasks.exe 2700 schtasks.exe 1544 schtasks.exe 1740 schtasks.exe 2824 schtasks.exe 2764 schtasks.exe 784 schtasks.exe 1428 schtasks.exe 2016 schtasks.exe 2656 schtasks.exe 1908 schtasks.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\56085415360792 hostnet.exe 1212 schtasks.exe 780 schtasks.exe 2164 schtasks.exe 2116 schtasks.exe 2292 schtasks.exe 1552 schtasks.exe 920 schtasks.exe 1444 schtasks.exe 2648 schtasks.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe hostnet.exe 496 schtasks.exe 1252 schtasks.exe 1900 schtasks.exe 2716 schtasks.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2428 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x00390000000167ef-9.dat dcrat behavioral1/memory/1940-13-0x0000000000EA0000-0x0000000001022000-memory.dmp dcrat behavioral1/memory/2856-29-0x000000001AF70000-0x000000001AFF0000-memory.dmp dcrat behavioral1/memory/284-73-0x0000000000160000-0x00000000002E2000-memory.dmp dcrat behavioral1/memory/284-75-0x0000000002140000-0x00000000021C0000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
pid Process 1940 hostnet.exe 2856 hostnet.exe 284 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2564 cmd.exe 2564 cmd.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\56085415360792 hostnet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\lsass.exe hostnet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\6203df4a6bafc7 hostnet.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792 hostnet.exe File created C:\Program Files\Microsoft Office\Office14\1033\csrss.exe hostnet.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\6203df4a6bafc7 hostnet.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe hostnet.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\lsass.exe hostnet.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe hostnet.exe File created C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e hostnet.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe hostnet.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe hostnet.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\c5b4cb5e9653cc hostnet.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\de-DE\c5b4cb5e9653cc hostnet.exe File created C:\Windows\AppPatch\es-ES\wininit.exe hostnet.exe File created C:\Windows\AppPatch\es-ES\56085415360792 hostnet.exe File created C:\Windows\fr-FR\System.exe hostnet.exe File created C:\Windows\fr-FR\27d1bcfc3c54e0 hostnet.exe File created C:\Windows\de-DE\services.exe hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 584 schtasks.exe 1416 schtasks.exe 2008 schtasks.exe 1900 schtasks.exe 1444 schtasks.exe 1544 schtasks.exe 2872 schtasks.exe 1516 schtasks.exe 1260 schtasks.exe 1792 schtasks.exe 780 schtasks.exe 2788 schtasks.exe 2876 schtasks.exe 2552 schtasks.exe 2280 schtasks.exe 3060 schtasks.exe 2676 schtasks.exe 1252 schtasks.exe 920 schtasks.exe 1328 schtasks.exe 2656 schtasks.exe 496 schtasks.exe 784 schtasks.exe 1428 schtasks.exe 2824 schtasks.exe 2764 schtasks.exe 2760 schtasks.exe 2292 schtasks.exe 1196 schtasks.exe 2668 schtasks.exe 2016 schtasks.exe 2100 schtasks.exe 1036 schtasks.exe 1212 schtasks.exe 2936 schtasks.exe 1980 schtasks.exe 1552 schtasks.exe 2140 schtasks.exe 2244 schtasks.exe 1944 schtasks.exe 1740 schtasks.exe 2116 schtasks.exe 628 schtasks.exe 1908 schtasks.exe 2648 schtasks.exe 1924 schtasks.exe 2164 schtasks.exe 2672 schtasks.exe 2700 schtasks.exe 1892 schtasks.exe 2056 schtasks.exe 2716 schtasks.exe 2356 schtasks.exe 2980 schtasks.exe 2028 schtasks.exe 2932 schtasks.exe 2072 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1940 hostnet.exe 2856 hostnet.exe 2856 hostnet.exe 2856 hostnet.exe 284 services.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1940 hostnet.exe Token: SeDebugPrivilege 2856 hostnet.exe Token: SeDebugPrivilege 284 services.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2020 wrote to memory of 3056 2020 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 28 PID 2020 wrote to memory of 3056 2020 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 28 PID 2020 wrote to memory of 3056 2020 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 28 PID 2020 wrote to memory of 3056 2020 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 28 PID 3056 wrote to memory of 2564 3056 WScript.exe 29 PID 3056 wrote to memory of 2564 3056 WScript.exe 29 PID 3056 wrote to memory of 2564 3056 WScript.exe 29 PID 3056 wrote to memory of 2564 3056 WScript.exe 29 PID 2564 wrote to memory of 1940 2564 cmd.exe 31 PID 2564 wrote to memory of 1940 2564 cmd.exe 31 PID 2564 wrote to memory of 1940 2564 cmd.exe 31 PID 2564 wrote to memory of 1940 2564 cmd.exe 31 PID 1940 wrote to memory of 2856 1940 hostnet.exe 39 PID 1940 wrote to memory of 2856 1940 hostnet.exe 39 PID 1940 wrote to memory of 2856 1940 hostnet.exe 39 PID 2856 wrote to memory of 2956 2856 hostnet.exe 91 PID 2856 wrote to memory of 2956 2856 hostnet.exe 91 PID 2856 wrote to memory of 2956 2856 hostnet.exe 91 PID 2956 wrote to memory of 2596 2956 cmd.exe 93 PID 2956 wrote to memory of 2596 2956 cmd.exe 93 PID 2956 wrote to memory of 2596 2956 cmd.exe 93 PID 2956 wrote to memory of 284 2956 cmd.exe 94 PID 2956 wrote to memory of 284 2956 cmd.exe 94 PID 2956 wrote to memory of 284 2956 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uHjFSanmVO.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2596
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\BlockSurrogateagentFont\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\BlockSurrogateagentFont\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostneth" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\hostnet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostnet" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\hostnet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostneth" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\hostnet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\BlockSurrogateagentFont\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\BlockSurrogateagentFont\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
246B
MD5d43921ae0992e28cbb786f9fca4cf92c
SHA12e802506523fcad28d2b8e2631ecc8c5e2db4843
SHA256b5dfb9a5de14f79b738f8b2700e7f3d6ee6837c534c777313184a468e3a7aa2f
SHA512420c331461d32875424afca366254b52d7e391d9b1bf03bb41b3dd18e9edd4233aa359de31c9ff7de57a43e85d47c667a95d567064ee12c67d5cf851b5df466e
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d