Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 01:30
Behavioral task
behavioral1
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win10v2004-20240226-en
General
-
Target
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat 45 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 968 schtasks.exe 3836 schtasks.exe 2124 schtasks.exe 4636 schtasks.exe 4748 schtasks.exe 3696 schtasks.exe 1992 schtasks.exe 4592 schtasks.exe 2992 schtasks.exe 3896 schtasks.exe File created C:\Program Files\Windows Photo Viewer\f3b6ecef712a24 hostnet.exe 776 schtasks.exe 2036 schtasks.exe 1680 schtasks.exe 5052 schtasks.exe 1476 schtasks.exe 3980 schtasks.exe 884 schtasks.exe 4036 schtasks.exe 4348 schtasks.exe 3112 schtasks.exe 2576 schtasks.exe 3796 schtasks.exe 2912 schtasks.exe File created C:\Program Files\Common Files\DESIGNER\04c1e7795967e4 hostnet.exe 2716 schtasks.exe 1856 schtasks.exe 3500 schtasks.exe 3152 schtasks.exe 2424 schtasks.exe 5112 schtasks.exe 4604 schtasks.exe 3792 schtasks.exe 4888 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 1204 schtasks.exe 1096 schtasks.exe 1128 schtasks.exe 1636 schtasks.exe 3548 schtasks.exe 1708 schtasks.exe 632 schtasks.exe 1576 schtasks.exe 4508 schtasks.exe 2452 schtasks.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3792 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 3064 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 3064 schtasks.exe 98 -
resource yara_rule behavioral2/files/0x0008000000023224-10.dat dcrat behavioral2/memory/5100-12-0x0000000000600000-0x0000000000782000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation hostnet.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation hostnet.exe -
Executes dropped EXE 3 IoCs
pid Process 5100 hostnet.exe 816 hostnet.exe 1308 smss.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe hostnet.exe File created C:\Program Files\Common Files\DESIGNER\04c1e7795967e4 hostnet.exe File created C:\Program Files\Windows Photo Viewer\spoolsv.exe hostnet.exe File created C:\Program Files\Windows Photo Viewer\f3b6ecef712a24 hostnet.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ee2ad38f3d4382 hostnet.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe hostnet.exe File created C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe hostnet.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe hostnet.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe hostnet.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\69ddcba757bf72 hostnet.exe File created C:\Program Files\Windows Portable Devices\smss.exe hostnet.exe File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 hostnet.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Resources\Themes\OfficeClickToRun.exe hostnet.exe File created C:\Windows\Resources\Themes\e6c9b481da804f hostnet.exe File created C:\Windows\Help\mui\0C0A\RuntimeBroker.exe hostnet.exe File created C:\Windows\Help\mui\0C0A\9e8d7a4ca61bd9 hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4036 schtasks.exe 3792 schtasks.exe 3500 schtasks.exe 5052 schtasks.exe 1636 schtasks.exe 1476 schtasks.exe 776 schtasks.exe 2124 schtasks.exe 632 schtasks.exe 3112 schtasks.exe 3796 schtasks.exe 3980 schtasks.exe 2992 schtasks.exe 4348 schtasks.exe 968 schtasks.exe 4508 schtasks.exe 2452 schtasks.exe 1708 schtasks.exe 3896 schtasks.exe 1204 schtasks.exe 3152 schtasks.exe 1576 schtasks.exe 4748 schtasks.exe 2912 schtasks.exe 1992 schtasks.exe 4604 schtasks.exe 1128 schtasks.exe 3836 schtasks.exe 2036 schtasks.exe 2424 schtasks.exe 4636 schtasks.exe 2716 schtasks.exe 1680 schtasks.exe 5112 schtasks.exe 4592 schtasks.exe 4888 schtasks.exe 3548 schtasks.exe 884 schtasks.exe 1856 schtasks.exe 3696 schtasks.exe 1096 schtasks.exe 2576 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings hostnet.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings hostnet.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5100 hostnet.exe 5100 hostnet.exe 5100 hostnet.exe 5100 hostnet.exe 816 hostnet.exe 816 hostnet.exe 816 hostnet.exe 816 hostnet.exe 816 hostnet.exe 816 hostnet.exe 1308 smss.exe 1308 smss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5100 hostnet.exe Token: SeDebugPrivilege 816 hostnet.exe Token: SeDebugPrivilege 1308 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2604 wrote to memory of 3104 2604 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 89 PID 2604 wrote to memory of 3104 2604 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 89 PID 2604 wrote to memory of 3104 2604 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 89 PID 3104 wrote to memory of 3400 3104 WScript.exe 102 PID 3104 wrote to memory of 3400 3104 WScript.exe 102 PID 3104 wrote to memory of 3400 3104 WScript.exe 102 PID 3400 wrote to memory of 5100 3400 cmd.exe 104 PID 3400 wrote to memory of 5100 3400 cmd.exe 104 PID 5100 wrote to memory of 3496 5100 hostnet.exe 111 PID 5100 wrote to memory of 3496 5100 hostnet.exe 111 PID 3496 wrote to memory of 4380 3496 cmd.exe 113 PID 3496 wrote to memory of 4380 3496 cmd.exe 113 PID 3496 wrote to memory of 816 3496 cmd.exe 114 PID 3496 wrote to memory of 816 3496 cmd.exe 114 PID 816 wrote to memory of 2040 816 hostnet.exe 151 PID 816 wrote to memory of 2040 816 hostnet.exe 151 PID 2040 wrote to memory of 1276 2040 cmd.exe 153 PID 2040 wrote to memory of 1276 2040 cmd.exe 153 PID 2040 wrote to memory of 1308 2040 cmd.exe 155 PID 2040 wrote to memory of 1308 2040 cmd.exe 155 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7XItC9Yz4s.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4380
-
-
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N1eCHl4zkY.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
203B
MD599feaed4619bba9bd6444a19986de0ba
SHA1f0857a1f73aec6f2015e354c518ef534f63d76ff
SHA256b86e47cdd7522e3d9abea2623e238847b61bc2ce00b91d55e110fec566f2ed7a
SHA5126d9711b742126bf23ef5f96c3d7b515e177622daacc65dba8f39de71b62beb86ddd07ff6ef136b84e7815b7f7f2b390a2e1de144475e72f8049b20ecaa6c0f92
-
Filesize
236B
MD5e990b9deb891d63a0054b2570bf6b39d
SHA1b2eafc8d8eed7fd9ec0382340535dc8033cf02f1
SHA256a42e3f78e32701292ab557ed2b16609394e61c2c501656efd510b7d696e17d7f
SHA51256e7811ad2634d106e4d5ccead0e32ca709d1aaa0430bfae604b9fe0a1258990a6c1e8bde592484be7c40cf9f65b729242f8b95bfab4a0a085ed069b26e03096