Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 10:36
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240709-en
General
-
Target
DCRatBuild.exe
-
Size
1.6MB
-
MD5
01d84e6b9068bb3e5be23ead859dad8e
-
SHA1
4942abe76919a4eb917336dc6ab2fa446c76acae
-
SHA256
6a0ee90b6f1dd76a6269315104c2de7a060efc8001cda6339f29096daf59b61d
-
SHA512
d7e72c2fb6df83f54eae57a2da350f9e5e3e38d3c9fc659d3e3c275a87374b2697eb130877f0e73dd9e4f29c88122206da5ab3ee45861582429c88d588633e7b
-
SSDEEP
24576:U2G/nvxW3Ww0thQZoR7lLU0J5/PFiTVfHkOXYsFn2NGPxSRPl2NCd:UbA30hQZoQ0HFmYsB2x
Malware Config
Signatures
-
DcRat 58 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeRefdhcpSvc.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeDCRatBuild.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1896 schtasks.exe 4348 schtasks.exe 924 schtasks.exe 732 schtasks.exe 628 schtasks.exe 4088 schtasks.exe 3768 schtasks.exe 220 schtasks.exe 3756 schtasks.exe 4880 schtasks.exe 3156 schtasks.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\38384e6a620884 RefdhcpSvc.exe 2792 schtasks.exe 1724 schtasks.exe 624 schtasks.exe 3416 schtasks.exe 4712 schtasks.exe 1400 schtasks.exe 2004 schtasks.exe 984 schtasks.exe 2320 schtasks.exe 4852 schtasks.exe 1568 schtasks.exe 5048 schtasks.exe 2644 schtasks.exe 2652 schtasks.exe 4292 schtasks.exe 1980 schtasks.exe 1040 schtasks.exe 3560 schtasks.exe 4180 schtasks.exe 1504 schtasks.exe File created C:\Program Files\Common Files\Services\22eafd247d37c3 RefdhcpSvc.exe 4512 schtasks.exe 4572 schtasks.exe 3012 schtasks.exe 2248 schtasks.exe 4856 schtasks.exe 4540 schtasks.exe 3540 schtasks.exe 3740 schtasks.exe 3592 schtasks.exe File created C:\Program Files\dotnet\host\6ccacd8608530f RefdhcpSvc.exe 812 schtasks.exe 1688 schtasks.exe 4284 schtasks.exe 4468 schtasks.exe 3792 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DCRatBuild.exe 4724 schtasks.exe 2152 schtasks.exe 4036 schtasks.exe 740 schtasks.exe 4456 schtasks.exe 4864 schtasks.exe 4340 schtasks.exe 936 schtasks.exe 1736 schtasks.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3792 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 2716 schtasks.exe -
Processes:
resource yara_rule C:\Bridgecrt\RefdhcpSvc.exe dcrat behavioral2/memory/3348-13-0x0000000000C00000-0x0000000000D4A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RefdhcpSvc.exeRefdhcpSvc.exeDCRatBuild.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation RefdhcpSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation RefdhcpSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
RefdhcpSvc.exeRefdhcpSvc.exelsass.exepid process 3348 RefdhcpSvc.exe 836 RefdhcpSvc.exe 1716 lsass.exe -
Drops file in Program Files directory 18 IoCs
Processes:
RefdhcpSvc.exeRefdhcpSvc.exedescription ioc process File created C:\Program Files (x86)\Common Files\Java\Java Update\6ee80ea7b3238e RefdhcpSvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe RefdhcpSvc.exe File created C:\Program Files\dotnet\host\Idle.exe RefdhcpSvc.exe File created C:\Program Files (x86)\Windows Mail\Registry.exe RefdhcpSvc.exe File created C:\Program Files (x86)\Windows Mail\ee2ad38f3d4382 RefdhcpSvc.exe File created C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088 RefdhcpSvc.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe RefdhcpSvc.exe File created C:\Program Files\Common Files\Services\TextInputHost.exe RefdhcpSvc.exe File created C:\Program Files (x86)\Windows Sidebar\explorer.exe RefdhcpSvc.exe File created C:\Program Files\Common Files\Services\22eafd247d37c3 RefdhcpSvc.exe File created C:\Program Files\dotnet\host\6ccacd8608530f RefdhcpSvc.exe File created C:\Program Files\ModifiableWindowsApps\TextInputHost.exe RefdhcpSvc.exe File created C:\Program Files\Uninstall Information\sysmon.exe RefdhcpSvc.exe File created C:\Program Files\Uninstall Information\121e5b5079f7c0 RefdhcpSvc.exe File created C:\Program Files (x86)\Reference Assemblies\spoolsv.exe RefdhcpSvc.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe RefdhcpSvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\38384e6a620884 RefdhcpSvc.exe File created C:\Program Files (x86)\Reference Assemblies\f3b6ecef712a24 RefdhcpSvc.exe -
Drops file in Windows directory 3 IoCs
Processes:
RefdhcpSvc.exedescription ioc process File created C:\Windows\SystemResources\Windows.ApplicationModel.LockScreen\dwm.exe RefdhcpSvc.exe File created C:\Windows\Fonts\WmiPrvSE.exe RefdhcpSvc.exe File created C:\Windows\Fonts\24dbde2999530e RefdhcpSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
DCRatBuild.exeRefdhcpSvc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings RefdhcpSvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3012 schtasks.exe 924 schtasks.exe 3740 schtasks.exe 4712 schtasks.exe 1724 schtasks.exe 3560 schtasks.exe 4348 schtasks.exe 4036 schtasks.exe 2320 schtasks.exe 3792 schtasks.exe 4852 schtasks.exe 4456 schtasks.exe 740 schtasks.exe 2644 schtasks.exe 4724 schtasks.exe 2152 schtasks.exe 220 schtasks.exe 5048 schtasks.exe 3768 schtasks.exe 1568 schtasks.exe 984 schtasks.exe 2792 schtasks.exe 732 schtasks.exe 1040 schtasks.exe 1688 schtasks.exe 2004 schtasks.exe 4512 schtasks.exe 3416 schtasks.exe 812 schtasks.exe 1980 schtasks.exe 3592 schtasks.exe 4180 schtasks.exe 3756 schtasks.exe 936 schtasks.exe 1400 schtasks.exe 4340 schtasks.exe 4088 schtasks.exe 4292 schtasks.exe 2652 schtasks.exe 4468 schtasks.exe 1896 schtasks.exe 2248 schtasks.exe 4540 schtasks.exe 4284 schtasks.exe 1504 schtasks.exe 3156 schtasks.exe 1736 schtasks.exe 4880 schtasks.exe 628 schtasks.exe 624 schtasks.exe 4856 schtasks.exe 3540 schtasks.exe 4864 schtasks.exe 4572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
RefdhcpSvc.exeRefdhcpSvc.exelsass.exemsedge.exemsedge.exeidentity_helper.exepid process 3348 RefdhcpSvc.exe 3348 RefdhcpSvc.exe 3348 RefdhcpSvc.exe 3348 RefdhcpSvc.exe 3348 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 836 RefdhcpSvc.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 1716 lsass.exe 2500 msedge.exe 2500 msedge.exe 4464 msedge.exe 4464 msedge.exe 2928 identity_helper.exe 2928 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 1716 lsass.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RefdhcpSvc.exeRefdhcpSvc.exelsass.exedescription pid process Token: SeDebugPrivilege 3348 RefdhcpSvc.exe Token: SeDebugPrivilege 836 RefdhcpSvc.exe Token: SeDebugPrivilege 1716 lsass.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe 4464 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeRefdhcpSvc.exeRefdhcpSvc.execmd.exelsass.exemsedge.exedescription pid process target process PID 2332 wrote to memory of 4680 2332 DCRatBuild.exe WScript.exe PID 2332 wrote to memory of 4680 2332 DCRatBuild.exe WScript.exe PID 2332 wrote to memory of 4680 2332 DCRatBuild.exe WScript.exe PID 4680 wrote to memory of 2384 4680 WScript.exe cmd.exe PID 4680 wrote to memory of 2384 4680 WScript.exe cmd.exe PID 4680 wrote to memory of 2384 4680 WScript.exe cmd.exe PID 2384 wrote to memory of 3348 2384 cmd.exe RefdhcpSvc.exe PID 2384 wrote to memory of 3348 2384 cmd.exe RefdhcpSvc.exe PID 3348 wrote to memory of 836 3348 RefdhcpSvc.exe RefdhcpSvc.exe PID 3348 wrote to memory of 836 3348 RefdhcpSvc.exe RefdhcpSvc.exe PID 836 wrote to memory of 944 836 RefdhcpSvc.exe cmd.exe PID 836 wrote to memory of 944 836 RefdhcpSvc.exe cmd.exe PID 944 wrote to memory of 516 944 cmd.exe w32tm.exe PID 944 wrote to memory of 516 944 cmd.exe w32tm.exe PID 944 wrote to memory of 1716 944 cmd.exe lsass.exe PID 944 wrote to memory of 1716 944 cmd.exe lsass.exe PID 1716 wrote to memory of 4464 1716 lsass.exe msedge.exe PID 1716 wrote to memory of 4464 1716 lsass.exe msedge.exe PID 4464 wrote to memory of 4560 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 4560 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3448 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 2500 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 2500 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3544 4464 msedge.exe msedge.exe PID 4464 wrote to memory of 3544 4464 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgecrt\sZWlDJX899JKJ.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgecrt\HCQUFaJMLZKomKKlWK1JJBtaf0zX.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Bridgecrt\RefdhcpSvc.exe"C:\Bridgecrt\RefdhcpSvc.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Bridgecrt\RefdhcpSvc.exe"C:\Bridgecrt\RefdhcpSvc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTkIfO6e00.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:516
-
-
C:\Bridgecrt\lsass.exe"C:\Bridgecrt\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http:///8⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa89d446f8,0x7ffa89d44708,0x7ffa89d447189⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:29⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:89⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:19⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:19⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:19⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:19⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:89⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:19⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:19⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:19⤵PID:2296
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Bridgecrt\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Bridgecrt\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Bridgecrt\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Bridgecrt\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Bridgecrt\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Bridgecrt\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefdhcpSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4480
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5f8f274a07f5224a3f69091f043af146c
SHA12513dccda5f12624dbb9a13052a2e629936bbab6
SHA2568a6e165c22056fc26e710ade51ec3f299e8aca3c4e43b53cc77b9be60bb3cb24
SHA5120c559ea5231d80976bb21b6ba1f8d788112cf89a8c7c32bb268557711a4d945f718616f9324997b5e59980956b736a1c59fb93ec17280cc7b8ccf3cf81ac298f
-
Filesize
1.3MB
MD5a343cf9f611cf1f2ef2a2d373cbdfd2f
SHA1f8ede9731b42eeeaabd25860daf7a15191a7110d
SHA256c4673884aade477ec758af7be2636fac36cf2d41d5e4993968923c01c50f35ba
SHA512c2a1eb1aa23444862c97a3d36761e1d88dd209ddc97d40ca48198492521d56101658603fca769262bbb8bf69b464a29c32f21993566750670d723d531a1acfb9
-
Filesize
214B
MD5285bb3888130afca5f0d63c7a7ddb141
SHA100c513275ea59c5a70cd1918d3338e307d976e2c
SHA25602eebeb58e57999fcff710e124688a73e0cbd54fbe7d1e8a8ec52c14388944f8
SHA5129b2bd6b921bc0a286a6ad691b64109406e2f2a3bcd8ace294e5b095cb373bd8df463c133cb470674d9bba8db15efabfb7310aa67a93ba89aff010bbddbf5c5d2
-
Filesize
1KB
MD5c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA120c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
5KB
MD568e22ffe0625466dd79690f728b8e8da
SHA1be9b35b7a3be1c7c07fcd33190b643ea6c68f420
SHA25673139ca3cd031e8cf23df3e26c27daf41c6c034a61aff012ceba1cc7b1b314df
SHA51219f7b3e6478ecba1431ced8cfbd3fbc95d062ac01bfc274750b11b954ea7f7e6c15d6844e3164b4a39eaea60fefe983130cae591f833fbc1d4e1fa69f1ed0d8b
-
Filesize
6KB
MD52e2569b251394f24e94cca39cf312041
SHA16db5a1c572ece8bbb00146edc07b7e8901dfb6ac
SHA2569e772b9e7fa83522a86530f2bacacbd5dedec4e68122313dd9a5c932879a7611
SHA51275fcbd0379f80bbb935f14df1c026492efcef0557a3f60960027d629c089aab288d49283bdec3315f08e444454243d7637671610a3afabe612150c468dce12e0
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD58188e68a3814cd5d0eae119579a298a5
SHA18d430f8a7a3ed51ab34191db5b2c3f641dbf7a47
SHA2564335e186695aeadeadd952ab97004d28d2755ec9d998a110af4e23ffa1407db8
SHA512bdc13918e8298d936fbc55ad7adc2bd24ea180e632cf561216cd0a2c848d9a83a7766e2120596401cd0545fd602fba0c7a88a6e928f1e32e292c612c669bd5fe
-
Filesize
187B
MD5f6f19116529f9f369214bed5fb5f9d0d
SHA175014bc551ece0d8d4cdaca673b7543c76184a49
SHA256ff3b9f43a2c2c639bb39b7ed12538a33c1b8ebd9b89ed239267428ffe0f106a4
SHA51295b3e3d34f2c25f6b6b9369260670f5def3be7e51c4a37b91da21174e2cb4f7fd582442c99a648542cf78e21784d23a7cea202f547bb01d944a2adcd1ad5bfe5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e