Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 17:36
Behavioral task
behavioral1
Sample
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe
Resource
win10v2004-20240709-en
General
-
Target
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe
-
Size
1.2MB
-
MD5
76552f8bd7533c66bc900c75abdc0ea7
-
SHA1
9a682fc922b82e6896c9892efb85687586963355
-
SHA256
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
-
SHA512
4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77
-
SSDEEP
24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exehostNet.exeschtasks.exe7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2136 schtasks.exe 1808 schtasks.exe 1924 schtasks.exe 2288 schtasks.exe 2708 schtasks.exe 2920 schtasks.exe 960 schtasks.exe 1492 schtasks.exe 2920 schtasks.exe 2864 schtasks.exe 536 schtasks.exe 944 schtasks.exe 892 schtasks.exe 1492 schtasks.exe 1996 schtasks.exe 2016 schtasks.exe 3036 schtasks.exe 912 schtasks.exe File created C:\Program Files\7-Zip\Lang\f3b6ecef712a24 hostNet.exe 1528 schtasks.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\14.0\Common 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe 2872 schtasks.exe 1216 schtasks.exe 1880 schtasks.exe 1064 schtasks.exe 1664 schtasks.exe 2916 schtasks.exe 1640 schtasks.exe 1656 schtasks.exe 2008 schtasks.exe 3048 schtasks.exe File created C:\Program Files (x86)\Microsoft Office\24dbde2999530e hostNet.exe 2756 schtasks.exe 336 schtasks.exe 2588 schtasks.exe 2412 schtasks.exe 1744 schtasks.exe 2036 schtasks.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\27d1bcfc3c54e0 hostNet.exe 1748 schtasks.exe 1820 schtasks.exe 1164 schtasks.exe 2784 schtasks.exe 832 schtasks.exe 2932 schtasks.exe 1472 schtasks.exe 320 schtasks.exe 1800 schtasks.exe 688 schtasks.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\69ddcba757bf72 hostNet.exe 2448 schtasks.exe 1420 schtasks.exe 1800 schtasks.exe 2944 schtasks.exe 1576 schtasks.exe 2992 schtasks.exe 1576 schtasks.exe 1768 schtasks.exe 2660 schtasks.exe 2000 schtasks.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\0a1fd5f707cd16 hostNet.exe 2880 schtasks.exe 2100 schtasks.exe 1184 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2612 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat behavioral1/memory/2392-10-0x0000000000400000-0x000000000053F000-memory.dmp dcrat C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe dcrat behavioral1/memory/2636-27-0x0000000000970000-0x0000000000A46000-memory.dmp dcrat behavioral1/memory/1728-64-0x0000000000FD0000-0x00000000010A6000-memory.dmp dcrat behavioral1/memory/2636-100-0x00000000001F0000-0x00000000002C6000-memory.dmp dcrat -
Executes dropped EXE 5 IoCs
Processes:
CrackLauncher.exeDCRatBuild.exehostNet.exehostNet.exeexplorer.exepid process 3040 CrackLauncher.exe 2184 DCRatBuild.exe 2636 hostNet.exe 1728 hostNet.exe 2636 explorer.exe -
Loads dropped DLL 5 IoCs
Processes:
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.execmd.exepid process 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe 2176 2788 cmd.exe 2788 cmd.exe -
Drops file in Program Files directory 25 IoCs
Processes:
hostNet.exehostNet.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\24dbde2999530e hostNet.exe File created C:\Program Files\Windows Mail\de-DE\b75386f1303e64 hostNet.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe hostNet.exe File created C:\Program Files (x86)\Google\Temp\6ccacd8608530f hostNet.exe File created C:\Program Files\Windows Media Player\smss.exe hostNet.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\088424020bedd6 hostNet.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe hostNet.exe File created C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe hostNet.exe File created C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe hostNet.exe File created C:\Program Files (x86)\Google\Temp\Idle.exe hostNet.exe File created C:\Program Files\Windows Sidebar\de-DE\24dbde2999530e hostNet.exe File created C:\Program Files\Windows Mail\de-DE\taskhost.exe hostNet.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\0a1fd5f707cd16 hostNet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\27d1bcfc3c54e0 hostNet.exe File created C:\Program Files\7-Zip\Lang\f3b6ecef712a24 hostNet.exe File created C:\Program Files\Windows Media Player\69ddcba757bf72 hostNet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe hostNet.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\0a1fd5f707cd16 hostNet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe hostNet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16 hostNet.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe hostNet.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\69ddcba757bf72 hostNet.exe File created C:\Program Files\7-Zip\Lang\spoolsv.exe hostNet.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe hostNet.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe hostNet.exe -
Drops file in Windows directory 5 IoCs
Processes:
hostNet.exehostNet.exedescription ioc process File created C:\Windows\winsxs\x86_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_478e55843710fde4\spoolsv.exe hostNet.exe File created C:\Windows\de-DE\WmiPrvSE.exe hostNet.exe File created C:\Windows\de-DE\24dbde2999530e hostNet.exe File created C:\Windows\Prefetch\ReadyBoot\lsass.exe hostNet.exe File created C:\Windows\Prefetch\ReadyBoot\6203df4a6bafc7 hostNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
CrackLauncher.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347 CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\DefaultIcon CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\URL Protocol CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open\command CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 536 schtasks.exe 912 schtasks.exe 1064 schtasks.exe 1748 schtasks.exe 1576 schtasks.exe 1924 schtasks.exe 1808 schtasks.exe 2920 schtasks.exe 2864 schtasks.exe 1092 schtasks.exe 1164 schtasks.exe 1216 schtasks.exe 2820 schtasks.exe 1996 schtasks.exe 336 schtasks.exe 1744 schtasks.exe 1420 schtasks.exe 2372 schtasks.exe 2756 schtasks.exe 2784 schtasks.exe 1512 schtasks.exe 2428 schtasks.exe 1880 schtasks.exe 3048 schtasks.exe 2008 schtasks.exe 2660 schtasks.exe 1492 schtasks.exe 2016 schtasks.exe 636 schtasks.exe 832 schtasks.exe 1216 schtasks.exe 2412 schtasks.exe 408 schtasks.exe 1760 schtasks.exe 3052 schtasks.exe 468 schtasks.exe 2940 schtasks.exe 2944 schtasks.exe 320 schtasks.exe 2100 schtasks.exe 2920 schtasks.exe 1820 schtasks.exe 2708 schtasks.exe 1656 schtasks.exe 2000 schtasks.exe 2368 schtasks.exe 960 schtasks.exe 2880 schtasks.exe 1576 schtasks.exe 1184 schtasks.exe 2448 schtasks.exe 1180 schtasks.exe 688 schtasks.exe 2404 schtasks.exe 2640 schtasks.exe 2872 schtasks.exe 1800 schtasks.exe 2288 schtasks.exe 1528 schtasks.exe 352 schtasks.exe 3056 schtasks.exe 2932 schtasks.exe 2916 schtasks.exe 2036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
hostNet.exehostNet.exeexplorer.exepid process 2636 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 1728 hostNet.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2636 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
hostNet.exehostNet.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2636 hostNet.exe Token: SeDebugPrivilege 1728 hostNet.exe Token: SeDebugPrivilege 2636 explorer.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exeCrackLauncher.exeDCRatBuild.exeWScript.execmd.exehostNet.execmd.exehostNet.execmd.exedescription pid process target process PID 2392 wrote to memory of 3040 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe CrackLauncher.exe PID 2392 wrote to memory of 3040 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe CrackLauncher.exe PID 2392 wrote to memory of 3040 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe CrackLauncher.exe PID 2392 wrote to memory of 3040 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe CrackLauncher.exe PID 2392 wrote to memory of 2184 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe DCRatBuild.exe PID 2392 wrote to memory of 2184 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe DCRatBuild.exe PID 2392 wrote to memory of 2184 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe DCRatBuild.exe PID 2392 wrote to memory of 2184 2392 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe DCRatBuild.exe PID 3040 wrote to memory of 2244 3040 CrackLauncher.exe cmd.exe PID 3040 wrote to memory of 2244 3040 CrackLauncher.exe cmd.exe PID 3040 wrote to memory of 2244 3040 CrackLauncher.exe cmd.exe PID 2184 wrote to memory of 2848 2184 DCRatBuild.exe WScript.exe PID 2184 wrote to memory of 2848 2184 DCRatBuild.exe WScript.exe PID 2184 wrote to memory of 2848 2184 DCRatBuild.exe WScript.exe PID 2184 wrote to memory of 2848 2184 DCRatBuild.exe WScript.exe PID 2848 wrote to memory of 2788 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2788 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2788 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2788 2848 WScript.exe cmd.exe PID 2788 wrote to memory of 2636 2788 cmd.exe hostNet.exe PID 2788 wrote to memory of 2636 2788 cmd.exe hostNet.exe PID 2788 wrote to memory of 2636 2788 cmd.exe hostNet.exe PID 2788 wrote to memory of 2636 2788 cmd.exe hostNet.exe PID 2636 wrote to memory of 2548 2636 hostNet.exe cmd.exe PID 2636 wrote to memory of 2548 2636 hostNet.exe cmd.exe PID 2636 wrote to memory of 2548 2636 hostNet.exe cmd.exe PID 2548 wrote to memory of 1600 2548 cmd.exe w32tm.exe PID 2548 wrote to memory of 1600 2548 cmd.exe w32tm.exe PID 2548 wrote to memory of 1600 2548 cmd.exe w32tm.exe PID 2548 wrote to memory of 1728 2548 cmd.exe hostNet.exe PID 2548 wrote to memory of 1728 2548 cmd.exe hostNet.exe PID 2548 wrote to memory of 1728 2548 cmd.exe hostNet.exe PID 1728 wrote to memory of 1608 1728 hostNet.exe cmd.exe PID 1728 wrote to memory of 1608 1728 hostNet.exe cmd.exe PID 1728 wrote to memory of 1608 1728 hostNet.exe cmd.exe PID 1608 wrote to memory of 2648 1608 cmd.exe w32tm.exe PID 1608 wrote to memory of 2648 1608 cmd.exe w32tm.exe PID 1608 wrote to memory of 2648 1608 cmd.exe w32tm.exe PID 1608 wrote to memory of 2636 1608 cmd.exe explorer.exe PID 1608 wrote to memory of 2636 1608 cmd.exe explorer.exe PID 1608 wrote to memory of 2636 1608 cmd.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe"C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"5⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blvzfr8VOd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1600
-
C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddgKr4kWhX.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2648
-
C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe"C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNet" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f1⤵PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /rl HIGHEST /f1⤵PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /rl HIGHEST /f1⤵PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f1⤵PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5c137c5f5287d73a94d55bc18df238303
SHA195b4b01775bea14feaaa462c98d969eb81696d2c
SHA256d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5
-
Filesize
215B
MD50e151f4d7364edd0dfb3fcd2f75459e8
SHA122cd0191190a69c0064dd22342275e5bc82d0fd2
SHA256696d54419ed0bc9ff58ede74b6d95e558a11dfbf19d4af3d9b47d002b1055c30
SHA512bf50a468ddb7c78afe6480758e032add6f06334c362a188c28b0612999abdcd7f5bed6e24ac41649e542bab77b7a5e2e6b3730ebe61f0fc956f4cca61157b0c9
-
Filesize
226B
MD5b4e6bf1bed5db613a889d39ddadb685c
SHA1a538b9117cc8b4174f384cea59d32e6ec553d45d
SHA2564e1a620756096a0db87feae584d2183751990e8dc79f7070fc673571f601dfd9
SHA51242f9eb19d23dffd91b2c6849d2f196817253a3f67ae6ea000f929832cc21d1ddaeb972dec03cc30f994f59ceb786cbd72ef861e001092da2ec4a2fdc236bfe28
-
Filesize
237B
MD567ef89a77b03bfa1932cc54db6dce88f
SHA1a2afed6d40b91cb6d48a7023fea05c0853437050
SHA25667b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30
SHA5127bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652
-
Filesize
52B
MD5fbbcc9f113a6c0c84210f8550cffca28
SHA1b3e94b80d166ad9c71260ce9674b7edd5d00aa25
SHA256fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f
SHA512f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8
-
Filesize
827KB
MD5bc8b1b7e6c72022131728dd99627e1d3
SHA10dcd162ee7a24204fb032b5e02d3f99c185e82bf
SHA25660e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a
SHA5129dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340
-
Filesize
1.1MB
MD5d5073e19a3ad042b1f759bcd13a65a3f
SHA19df8b87566284b169e56ee4a8b78d72ce2e3e5aa
SHA25628aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b
SHA51289c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e