Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 07:57
Behavioral task
behavioral1
Sample
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
Resource
win10v2004-20240426-en
General
-
Target
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
-
Size
829KB
-
MD5
28b77e68b269756ba427c8d30deef9de
-
SHA1
815371ee33e46a6b1a1257b6e01bbaf46ce8d0f5
-
SHA256
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e
-
SHA512
23488adba74b5c22bca70c2b307020b00696eafc37041bd4a578227d2d4ac6c5ac5f1b107159ea9a15ff08fb865409e06164649a1a2b584fb5bc0b8186b73554
-
SSDEEP
24576:REKNonGb2iV7XQyzP9miug5/JXqY/0u0DT:REK+nC7dmzg5Mu0
Malware Config
Signatures
-
DcRat 48 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2108 schtasks.exe 4068 schtasks.exe 4412 schtasks.exe 2176 schtasks.exe 3156 schtasks.exe 3612 schtasks.exe 636 schtasks.exe 2612 schtasks.exe 4776 schtasks.exe 3056 schtasks.exe 524 schtasks.exe 3172 schtasks.exe 4064 schtasks.exe 528 schtasks.exe 3164 schtasks.exe 4496 schtasks.exe 3956 schtasks.exe 4340 schtasks.exe 3596 schtasks.exe 208 schtasks.exe 4364 schtasks.exe 1260 schtasks.exe 4520 schtasks.exe 4208 schtasks.exe 4060 schtasks.exe File created C:\Windows\Logs\SettingSync\f3b6ecef712a24 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 2004 schtasks.exe 2288 schtasks.exe 4176 schtasks.exe 1372 schtasks.exe 1676 schtasks.exe 3720 schtasks.exe 1472 schtasks.exe 1468 schtasks.exe 4404 schtasks.exe 2520 schtasks.exe 4072 schtasks.exe File created C:\Windows\Logs\SettingSync\spoolsv.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Registration\CRMLog\886983d96e3d3e 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 3996 schtasks.exe 4636 schtasks.exe 2728 schtasks.exe 1864 schtasks.exe 2868 schtasks.exe 3064 schtasks.exe 1528 schtasks.exe 4564 schtasks.exe 1856 schtasks.exe -
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2596 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2596 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/3124-1-0x0000000000930000-0x0000000000A06000-memory.dmp dcrat C:\Recovery\WindowsRE\WaaSMedicAgent.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Executes dropped EXE 1 IoCs
Processes:
sysmon.exepid process 3448 sysmon.exe -
Drops file in Program Files directory 7 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process File created C:\Program Files\WindowsPowerShell\Configuration\services.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files\WindowsPowerShell\Configuration\c5b4cb5e9653cc 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files\Windows Mail\sysmon.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File opened for modification C:\Program Files\Windows Mail\sysmon.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files\Windows Mail\121e5b5079f7c0 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files\Windows Mail\smss.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files\Windows Mail\69ddcba757bf72 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Drops file in Windows directory 10 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process File created C:\Windows\Help\en-US\csrss.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Help\en-US\886983d96e3d3e 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Logs\SettingSync\spoolsv.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File opened for modification C:\Windows\Logs\SettingSync\spoolsv.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Registration\CRMLog\csrss.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Registration\CRMLog\886983d96e3d3e 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\WinSxS\amd64_wcf-system.servicemodel_b03f5f7f11d50a3a_10.0.19200.110_none_eb92573b46fdeff3\lsass.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Tasks\5b884080fd4f94 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Logs\SettingSync\f3b6ecef712a24 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Tasks\fontdrvhost.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3956 schtasks.exe 4340 schtasks.exe 3596 schtasks.exe 2868 schtasks.exe 3612 schtasks.exe 2108 schtasks.exe 3720 schtasks.exe 1676 schtasks.exe 4564 schtasks.exe 1864 schtasks.exe 4520 schtasks.exe 636 schtasks.exe 2288 schtasks.exe 3164 schtasks.exe 3156 schtasks.exe 4072 schtasks.exe 528 schtasks.exe 4636 schtasks.exe 3172 schtasks.exe 4364 schtasks.exe 4496 schtasks.exe 4412 schtasks.exe 4064 schtasks.exe 1856 schtasks.exe 4176 schtasks.exe 4776 schtasks.exe 1472 schtasks.exe 4068 schtasks.exe 524 schtasks.exe 1468 schtasks.exe 2520 schtasks.exe 4060 schtasks.exe 3064 schtasks.exe 3056 schtasks.exe 1528 schtasks.exe 4208 schtasks.exe 3996 schtasks.exe 1372 schtasks.exe 2176 schtasks.exe 208 schtasks.exe 1260 schtasks.exe 4404 schtasks.exe 2004 schtasks.exe 2612 schtasks.exe 2728 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exesysmon.exepid process 3124 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 3448 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exesysmon.exedescription pid process Token: SeDebugPrivilege 3124 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe Token: SeDebugPrivilege 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe Token: SeDebugPrivilege 3448 sysmon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.execmd.exe00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription pid process target process PID 3124 wrote to memory of 3724 3124 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe cmd.exe PID 3124 wrote to memory of 3724 3124 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe cmd.exe PID 3724 wrote to memory of 1928 3724 cmd.exe w32tm.exe PID 3724 wrote to memory of 1928 3724 cmd.exe w32tm.exe PID 3724 wrote to memory of 4420 3724 cmd.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe PID 3724 wrote to memory of 4420 3724 cmd.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe PID 4420 wrote to memory of 3448 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe sysmon.exe PID 4420 wrote to memory of 3448 4420 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"1⤵
- DcRat
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXDoKEq81l.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Program Files\Windows Mail\sysmon.exe"C:\Program Files\Windows Mail\sysmon.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\SettingSync\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\SettingSync\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e" /sc ONLOGON /tr "'C:\Users\Default\Pictures\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\en-US\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\WaaSMedicAgent.exeFilesize
829KB
MD528b77e68b269756ba427c8d30deef9de
SHA1815371ee33e46a6b1a1257b6e01bbaf46ce8d0f5
SHA25600c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e
SHA51223488adba74b5c22bca70c2b307020b00696eafc37041bd4a578227d2d4ac6c5ac5f1b107159ea9a15ff08fb865409e06164649a1a2b584fb5bc0b8186b73554
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe.logFilesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
C:\Users\Admin\AppData\Local\Temp\VXDoKEq81l.batFilesize
267B
MD59d52b87a4f4d8f934c5cae0f7e4b584f
SHA1c9f3b0724a6a64d853e5b59d2d72e9ae0bd76864
SHA256ec3f74fb97a05cf6140c5f6726ed3da800ca75e0345596a9bbefd4c2effaa5fd
SHA51266f7f1b4bad3b7325415a1c9f2c1ebe4e26e23f1c646a2340d413dfdb6c1ea6e2df9bf40e0cc3789d83e1e625624ca77371a1f3283275cfe351d3e77ed77567d
-
memory/3124-0-0x00007FFCDC033000-0x00007FFCDC035000-memory.dmpFilesize
8KB
-
memory/3124-1-0x0000000000930000-0x0000000000A06000-memory.dmpFilesize
856KB
-
memory/3124-4-0x00007FFCDC030000-0x00007FFCDCAF1000-memory.dmpFilesize
10.8MB
-
memory/3124-12-0x00007FFCDC030000-0x00007FFCDCAF1000-memory.dmpFilesize
10.8MB