Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 02:12
Behavioral task
behavioral1
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win10v2004-20240226-en
General
-
Target
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat 42 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
pid Process 1164 schtasks.exe 1844 schtasks.exe 2760 schtasks.exe 3032 schtasks.exe 1136 schtasks.exe 1968 schtasks.exe 948 schtasks.exe 1148 schtasks.exe 1916 schtasks.exe 2100 schtasks.exe 2272 schtasks.exe 2640 schtasks.exe 1588 schtasks.exe 1048 schtasks.exe 2872 schtasks.exe 1732 schtasks.exe 1492 schtasks.exe 972 schtasks.exe 2296 schtasks.exe 2876 schtasks.exe 2500 schtasks.exe 2916 schtasks.exe 1996 schtasks.exe 2644 schtasks.exe 2096 schtasks.exe 1952 schtasks.exe 2104 schtasks.exe 2664 schtasks.exe 2192 schtasks.exe 2516 schtasks.exe 1740 schtasks.exe 620 schtasks.exe 2464 schtasks.exe 2352 schtasks.exe 2056 schtasks.exe 1932 schtasks.exe 1604 schtasks.exe 2476 schtasks.exe 2864 schtasks.exe 2076 schtasks.exe 1764 schtasks.exe 896 schtasks.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2424 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2424 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0027000000014476-11.dat dcrat behavioral1/memory/2708-13-0x0000000000C40000-0x0000000000DC2000-memory.dmp dcrat behavioral1/memory/1032-40-0x0000000000110000-0x0000000000292000-memory.dmp dcrat behavioral1/memory/1032-42-0x000000001B120000-0x000000001B1A0000-memory.dmp dcrat behavioral1/memory/2164-70-0x0000000000810000-0x0000000000992000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
pid Process 2708 hostnet.exe 1032 hostnet.exe 2164 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2724 cmd.exe 2724 cmd.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\it-IT\csrss.exe hostnet.exe File created C:\Program Files\Windows Sidebar\it-IT\886983d96e3d3e hostnet.exe File created C:\Program Files (x86)\Reference Assemblies\winlogon.exe hostnet.exe File created C:\Program Files (x86)\Reference Assemblies\cc11b995f2a76d hostnet.exe File created C:\Program Files (x86)\MSBuild\winlogon.exe hostnet.exe File created C:\Program Files (x86)\MSBuild\cc11b995f2a76d hostnet.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe hostnet.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\42af1c969fbb7b hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2352 schtasks.exe 2104 schtasks.exe 2664 schtasks.exe 2192 schtasks.exe 1740 schtasks.exe 2516 schtasks.exe 2076 schtasks.exe 1764 schtasks.exe 2296 schtasks.exe 2916 schtasks.exe 2476 schtasks.exe 620 schtasks.exe 1968 schtasks.exe 2644 schtasks.exe 3032 schtasks.exe 896 schtasks.exe 2500 schtasks.exe 1164 schtasks.exe 2272 schtasks.exe 1588 schtasks.exe 972 schtasks.exe 1048 schtasks.exe 948 schtasks.exe 1732 schtasks.exe 1996 schtasks.exe 1492 schtasks.exe 2760 schtasks.exe 2640 schtasks.exe 2096 schtasks.exe 1136 schtasks.exe 1148 schtasks.exe 2100 schtasks.exe 1952 schtasks.exe 1932 schtasks.exe 2864 schtasks.exe 2872 schtasks.exe 1916 schtasks.exe 1844 schtasks.exe 2464 schtasks.exe 2876 schtasks.exe 2056 schtasks.exe 1604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2708 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 1032 hostnet.exe 2164 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2708 hostnet.exe Token: SeDebugPrivilege 1032 hostnet.exe Token: SeDebugPrivilege 2164 taskhost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1704 wrote to memory of 928 1704 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 1704 wrote to memory of 928 1704 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 1704 wrote to memory of 928 1704 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 1704 wrote to memory of 928 1704 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 928 wrote to memory of 2724 928 WScript.exe 29 PID 928 wrote to memory of 2724 928 WScript.exe 29 PID 928 wrote to memory of 2724 928 WScript.exe 29 PID 928 wrote to memory of 2724 928 WScript.exe 29 PID 2724 wrote to memory of 2708 2724 cmd.exe 31 PID 2724 wrote to memory of 2708 2724 cmd.exe 31 PID 2724 wrote to memory of 2708 2724 cmd.exe 31 PID 2724 wrote to memory of 2708 2724 cmd.exe 31 PID 2708 wrote to memory of 576 2708 hostnet.exe 48 PID 2708 wrote to memory of 576 2708 hostnet.exe 48 PID 2708 wrote to memory of 576 2708 hostnet.exe 48 PID 576 wrote to memory of 1512 576 cmd.exe 50 PID 576 wrote to memory of 1512 576 cmd.exe 50 PID 576 wrote to memory of 1512 576 cmd.exe 50 PID 576 wrote to memory of 1032 576 cmd.exe 51 PID 576 wrote to memory of 1032 576 cmd.exe 51 PID 576 wrote to memory of 1032 576 cmd.exe 51 PID 1032 wrote to memory of 2164 1032 hostnet.exe 79 PID 1032 wrote to memory of 2164 1032 hostnet.exe 79 PID 1032 wrote to memory of 2164 1032 hostnet.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zq1Fy1aHNJ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1512
-
-
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe"C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
203B
MD5dfd3448f8b540b954f8fe09a3394f5bc
SHA1322b64b2096f0d470abbd0867a75b0d41c9b00b9
SHA2564299e6f03e2f5f837278a2931fcf762bdc2d190c3c1538dad7df431538795485
SHA512d11812c5ab0aeb1f94af6ba3cd63113437857eed44056b5a77ae2017bc4ef1e198fb83ef081d47161d6df4cd819cefde6c7a50c617d7e5b0058994cd4725c2f1
-
Filesize
806B
MD5412b61071e59225e752822fc53838004
SHA150e3b04b429ac19e6d4fe5953d7bb3ec8aaa90d9
SHA256c23dec0292acbca4edab608442a9228376c9b52b82cc130984d929a2b432901c
SHA5122f402d6552f91e86808e59a36eec5225fbf191ec246ae5cedf71b6d928a52c3b3e0a2813f427b9051483d80bc6770f2ada3c6b31d6dd1d141f6ee41b9e337684
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d