Overview

overview

10

Static

static

10

findme.exe

windows7-x64

10

findme.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2025 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    findme.exe

  • Size

    3.2MB

  • MD5

    4fabffd3dfad2d1e11ae2317b40b6e4a

  • SHA1

    df2ce294dc75060632bfb45add20e69ccc9396c1

  • SHA256

    079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a

  • SHA512

    bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed

  • SSDEEP

    49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat 37 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\findme.exe
    "C:\Users\Admin\AppData\Local\Temp\findme.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\runtimebrokerHost\webnetdhcp.exe
          "C:\runtimebrokerHost\webnetdhcp.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R2GDdKjFTg.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1980
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:580
              • C:\runtimebrokerHost\webnetdhcp.exe
                "C:\runtimebrokerHost\webnetdhcp.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2124
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1292
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3024
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2952
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1704
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2324
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2328
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\taskhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2132
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2104
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\de-DE\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2936
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3064
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVdrS8odIE.bat"
                  7⤵
                    PID:1932
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:900
                      • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe
                        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe"
                        8⤵
                        • Executes dropped EXE
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2948
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fffb6038-21a9-48d5-9c09-f5b84a0b0148.vbs"
                          9⤵
                            PID:700
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841ae86e-8bdd-4fc2-8005-16f164ecafb9.vbs"
                            9⤵
                              PID:2284
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2328
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2196
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\WmiPrvSE.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1484
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3016
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3044
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\runtimebrokerHost\smss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\runtimebrokerHost\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1248
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\runtimebrokerHost\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1048
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2496
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1556
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:848
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2292
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2428
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\runtimebrokerHost\lsm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\runtimebrokerHost\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\runtimebrokerHost\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1824
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2508
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1576
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\runtimebrokerHost\taskhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\runtimebrokerHost\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2624
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\runtimebrokerHost\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2400
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2460
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\de-DE\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2944
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2964
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\de-DE\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2716
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2852
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2972
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2696
            • C:\Windows\system32\wbem\WmiApSrv.exe
              C:\Windows\system32\wbem\WmiApSrv.exe
              1⤵
                PID:3000

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\841ae86e-8bdd-4fc2-8005-16f164ecafb9.vbs
                Filesize

                510B

                MD5

                7e3f8075e6bffa80ca65a28f48f60077

                SHA1

                79f0f22d3adf5c16e34c0f6a5612e9b8032d951d

                SHA256

                8f4b2e7263d7c5d435561de489db19eed2d6ca6a6c1d93d8519c45c38e2135c8

                SHA512

                ace8bc501733eb34a68812d231fd249780bd6cac3a55260ca82de158d51a35e347350efc3beea37b6c40622ad55bbae6d12d645f17e827eb859971bc554ec8bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\R2GDdKjFTg.bat
                Filesize

                200B

                MD5

                aae4ed7cbc6713d2b30d6c2d994e5d20

                SHA1

                891fd67012ad8d90c4413e8e31fbbd1fba045e95

                SHA256

                aecba9a7ef3cf85a448596bd641a8136483d3445e8085edea1c6ee63002c933a

                SHA512

                b26107ff2c88eb1d6b3dd6a32a9b3aea279d12d9a550df48d79a91c8df36a7d5149324f2b02ca595fc9a1e14c94c206bead1d03c04d9cb081b76cf98f6957374

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\UVdrS8odIE.bat
                Filesize

                223B

                MD5

                afcada6017818b8bbe18fdce3f862c0f

                SHA1

                550421575c6290b9040e08489cd917f8dd1d5fb8

                SHA256

                d63dec02aee06cb75d57bd147fe32de07a17b2daa5b20944af282806d2efe939

                SHA512

                21bf0af6b850aab64bec038f88115f54d7dacf1a3981d6cfca36f75904f1c92c1a0682488f010cad9f9ff49cb8cc48e0dbf07860f829535d44259af29508465e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\fffb6038-21a9-48d5-9c09-f5b84a0b0148.vbs
                Filesize

                734B

                MD5

                a276b52f546ac93b44c3456598a1f8f9

                SHA1

                4dc2b8c9dbfb3ce6561cab624c61bd189e134fe0

                SHA256

                0a6d4ec0e362353feb43bcfdedf1ad67b841c35a24439cbe5845db165ec589c7

                SHA512

                c0e66f7502cff95019dfee002dae5ddb8db6b3be0610d2746fff00f51121f6e7515a9b75075cc07bffa1e8833eb19d43b24128594a9a9777de43037b2785cb95

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                7KB

                MD5

                2a298fc3aa7ba50dbbb846279dd5ca9a

                SHA1

                d1c90aa60329c0cd3a5ad48b01d20727db2485d3

                SHA256

                ebc6816192ee0e2ec2ae479bb4f0f7ff32d28e80277d835adfbc8c6165013745

                SHA512

                d66cf8255edf45321f1ab37d42b2071567ca0077e744ab2deae19eb5582670487d4fa3384675a6f5d440324305e4ffd6baf467a76433e4f1ec3ed47d3b826dc8

                Download Submit

              • C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat
                Filesize

                37B

                MD5

                2f75cb9c29ad8dc8dab47b39673a8f09

                SHA1

                89b9602bcf66bea31f020c426878acc7aa922b44

                SHA256

                a42bdf46c460b2e7baa4ec022dba0474a9a9a9eef343ae824a533e1ff700417e

                SHA512

                54e8c98fafbeeb42af261747afcf763e17113ef5ee4e23501f6088da93fd004c9db28c1d41c7c9a3fe05211abf9cd40ada3db993cbdd545cb88c32c77eb07812

                Download Submit

              • C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe
                Filesize

                223B

                MD5

                e63c96d58301c1f1e3dae1378b1b0eca

                SHA1

                186598fa4a820157a4c284450f13c567bb3cb90e

                SHA256

                ee8722b767b0c57b52c64cdb9f7b4eca2b3593fbcde9c6106391a6b065195b2a

                SHA512

                390d7a2404c0379ff64c26bc6e046e09d6ab420aade79d7a1e8e2aada032c81621f4aaa5faaa1d3c4049799e3fca91f08198e306d2b2e0a2a0947a50e7d345c8

                Download Submit

              • C:\runtimebrokerHost\webnetdhcp.exe
                Filesize

                2.9MB

                MD5

                eec01d18c981a5973da10c8cbac73764

                SHA1

                a366e8aff64b3b84c129a54615700b9a6a3238c1

                SHA256

                4c8610c40e37fb70da6b33ad42c7f5d8a0cc34a16c34a3837af521efbf79fa2f

                SHA512

                6425dd22c982be9bc1b10a5b885ca1e610b6ee30f2c3a5181f5d6bcdb5a84bdf6b4a5a851c9552f9b7b1f29d5141ecd2ffb0d00d41f3b70c64f7f332a877f165

                Download Submit

              • memory/1976-61-0x000000001B690000-0x000000001B972000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/1976-62-0x0000000002040000-0x0000000002048000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2124-65-0x00000000011A0000-0x0000000001498000-memory.dmp

                Filesize

                3.0MB

                Download

              • memory/2124-66-0x000000001B240000-0x000000001B296000-memory.dmp

                Filesize

                344KB

                Download

              • memory/2324-103-0x00000000027D0000-0x00000000027D8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2324-102-0x000000001B610000-0x000000001B8F2000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2464-20-0x0000000000B30000-0x0000000000B42000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2464-38-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2464-26-0x000000001AF10000-0x000000001AF18000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-28-0x000000001AF20000-0x000000001AF32000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2464-29-0x000000001AF30000-0x000000001AF3C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2464-30-0x000000001AF40000-0x000000001AF48000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-31-0x000000001AF50000-0x000000001AF5A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2464-32-0x000000001AF60000-0x000000001AF6E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2464-33-0x000000001AF70000-0x000000001AF7E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2464-34-0x000000001AF80000-0x000000001AF88000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-35-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2464-36-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-37-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2464-25-0x00000000024D0000-0x00000000024DC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2464-24-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-23-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2464-22-0x000000001AA70000-0x000000001AAC6000-memory.dmp

                Filesize

                344KB

                Download

              • memory/2464-21-0x0000000000B40000-0x0000000000B48000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-19-0x0000000000B10000-0x0000000000B26000-memory.dmp

                Filesize

                88KB

                Download

              • memory/2464-18-0x0000000000B00000-0x0000000000B08000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-17-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2464-16-0x0000000000630000-0x0000000000638000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2464-15-0x0000000000550000-0x000000000055E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2464-13-0x0000000000DD0000-0x00000000010C8000-memory.dmp

                Filesize

                3.0MB

                Download

              • memory/2464-14-0x0000000000330000-0x000000000033E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2948-153-0x0000000001340000-0x0000000001396000-memory.dmp

                Filesize

                344KB

                Download

              • memory/2948-152-0x00000000004E0000-0x00000000004F2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2948-151-0x00000000013D0000-0x00000000016C8000-memory.dmp

                Filesize

                3.0MB

                Download