Analysis
-
max time kernel
125s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 13:41
Behavioral task
behavioral1
Sample
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
Resource
win10v2004-20240508-en
General
-
Target
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
-
Size
1.1MB
-
MD5
2768c63cfbffae59b6c2c5483e804d14
-
SHA1
a577f6aa123f1b641a780ef4cf205b73c2b2bfc3
-
SHA256
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4
-
SHA512
7ae59899ac9d77e98f5f52e2eeee350bade1aab284fc65bb64ba1ff605a8c7148ae535b8b69bb0fedfde6449becd87b5a0678ce241414d54b7b759c36dd0da04
-
SSDEEP
24576:U2G/nvxW3Ww0tkAyVPwER/v6Yq9/zI2SV6/6ODpvdcKRWksjQ:UbA30kAyRwE332SV6XDzRLs0
Malware Config
Signatures
-
DcRat 35 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeMsRuntimeperf.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1856 schtasks.exe 1636 schtasks.exe 4388 schtasks.exe 1508 schtasks.exe 2240 schtasks.exe 2344 schtasks.exe 3812 schtasks.exe 832 schtasks.exe 1496 schtasks.exe 672 schtasks.exe 1660 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe 1096 schtasks.exe 2028 schtasks.exe 3192 schtasks.exe 3584 schtasks.exe 2532 schtasks.exe File created C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94 MsRuntimeperf.exe 3480 schtasks.exe 536 schtasks.exe 1840 schtasks.exe 5088 schtasks.exe 4108 schtasks.exe 756 schtasks.exe 4560 schtasks.exe 1008 schtasks.exe 2220 schtasks.exe 2392 schtasks.exe 4464 schtasks.exe 2040 schtasks.exe 1472 schtasks.exe 224 schtasks.exe 460 schtasks.exe 3360 schtasks.exe 5024 schtasks.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2676 schtasks.exe -
Processes:
resource yara_rule C:\portMonitor\MsRuntimeperf.exe dcrat behavioral2/memory/336-13-0x0000000000930000-0x0000000000A06000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exeWScript.exeMsRuntimeperf.exeMsRuntimeperf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation MsRuntimeperf.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation MsRuntimeperf.exe -
Executes dropped EXE 3 IoCs
Processes:
MsRuntimeperf.exeMsRuntimeperf.exemsedge.exepid process 336 MsRuntimeperf.exe 4996 MsRuntimeperf.exe 324 msedge.exe -
Drops file in Program Files directory 10 IoCs
Processes:
MsRuntimeperf.exeMsRuntimeperf.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\sihost.exe MsRuntimeperf.exe File created C:\Program Files\Common Files\System\en-US\sysmon.exe MsRuntimeperf.exe File created C:\Program Files (x86)\Google\CrashReports\29c1c3cc0f7685 MsRuntimeperf.exe File created C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe MsRuntimeperf.exe File created C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94 MsRuntimeperf.exe File created C:\Program Files (x86)\Google\CrashReports\unsecapp.exe MsRuntimeperf.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe MsRuntimeperf.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\61a52ddc9dd915 MsRuntimeperf.exe File created C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2 MsRuntimeperf.exe File created C:\Program Files\Common Files\System\en-US\121e5b5079f7c0 MsRuntimeperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3480 schtasks.exe 756 schtasks.exe 4560 schtasks.exe 2028 schtasks.exe 5024 schtasks.exe 3584 schtasks.exe 832 schtasks.exe 1660 schtasks.exe 2344 schtasks.exe 3192 schtasks.exe 5088 schtasks.exe 4108 schtasks.exe 2392 schtasks.exe 2220 schtasks.exe 4388 schtasks.exe 1496 schtasks.exe 1856 schtasks.exe 1840 schtasks.exe 2240 schtasks.exe 536 schtasks.exe 460 schtasks.exe 3360 schtasks.exe 4464 schtasks.exe 672 schtasks.exe 224 schtasks.exe 1008 schtasks.exe 1636 schtasks.exe 1096 schtasks.exe 3812 schtasks.exe 1508 schtasks.exe 2040 schtasks.exe 2532 schtasks.exe 1472 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
MsRuntimeperf.exeMsRuntimeperf.exemsedge.exepid process 336 MsRuntimeperf.exe 4996 MsRuntimeperf.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe 324 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 324 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MsRuntimeperf.exeMsRuntimeperf.exemsedge.exedescription pid process Token: SeDebugPrivilege 336 MsRuntimeperf.exe Token: SeDebugPrivilege 4996 MsRuntimeperf.exe Token: SeDebugPrivilege 324 msedge.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exeWScript.execmd.exeMsRuntimeperf.exeMsRuntimeperf.exedescription pid process target process PID 2524 wrote to memory of 5028 2524 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2524 wrote to memory of 5028 2524 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2524 wrote to memory of 5028 2524 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 5028 wrote to memory of 800 5028 WScript.exe cmd.exe PID 5028 wrote to memory of 800 5028 WScript.exe cmd.exe PID 5028 wrote to memory of 800 5028 WScript.exe cmd.exe PID 800 wrote to memory of 336 800 cmd.exe MsRuntimeperf.exe PID 800 wrote to memory of 336 800 cmd.exe MsRuntimeperf.exe PID 336 wrote to memory of 4996 336 MsRuntimeperf.exe MsRuntimeperf.exe PID 336 wrote to memory of 4996 336 MsRuntimeperf.exe MsRuntimeperf.exe PID 4996 wrote to memory of 324 4996 MsRuntimeperf.exe msedge.exe PID 4996 wrote to memory of 324 4996 MsRuntimeperf.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe"C:\Users\Admin\AppData\Local\Temp\ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portMonitor\1iRUSp.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\portMonitor\MsRuntimeperf.exe"C:\portMonitor\MsRuntimeperf.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\portMonitor\MsRuntimeperf.exe"C:\portMonitor\MsRuntimeperf.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:81⤵PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\portMonitor\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\portMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\portMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\en-US\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\portMonitor\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\portMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\portMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
34B
MD5e7d861bf32c0cfdce43a988f7624094b
SHA1ce94364c1662056c36487d1ad2a3910d60295567
SHA256bf1a6596c9cb4f855e364b1b2f4e065d3c3db14814e4cb933a45dc1929604bab
SHA512f4e9116284beb83c4b459f386fb1cb2573769c937082a3dd1efb5ebf73693e9ad03be4cb691476720d8a7841b29aea1bd8f57e7070e15baf293c0683dc553f04
-
Filesize
194B
MD5549bfbdf4b94348d8d90e99da8c2251e
SHA15a137b4eca702e1154f27729b4bd4de2e66e7562
SHA2563d992a2df8f78acb01aacd43662b8ef67810149dd6c40b96f5d88ce9ba8e215e
SHA512c3a5f93b0dde2d1a00133e22014d7b3b8d59c2780b426429d9fa98d3e32e66d6697de50af714b3375d82034f77feba7b90336b8d44767a2eaacd77129dc13793
-
Filesize
828KB
MD54168f956abf60ffe49acc17b2544866f
SHA192c00da15b67c3fbc23a74198b1220c55dc56fec
SHA25619ad2d50f71214129742f9e3901ee595f760b36d5cac676911c3ee0ec7c6546d
SHA512938a4e85094d517e0ca9ef96edd2dfef75accd5d7546da44a921be023dcd066fcab51688b1f7036f67f7dcd3d0e7aedafccc58abee2b22c15da1bb05ec002a0e