Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-01-2025 02:13
General
-
Target
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
-
Size
9.0MB
-
MD5
35a0fbec2fc6d2a550a569719406d58d
-
SHA1
bc73001a0600313803d3594dc51d3d0813dbdec1
-
SHA256
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
-
SHA512
2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f
-
SSDEEP
196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps
Malware Config
Extracted
orcus
GameHack
31.44.184.52:25350
sudo_06kkh814g4vz7sfklrh1emcow75dz383
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\Windows\Defender\MpDefenderCoreProtion.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
DcRat 31 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Orcurs Rat Executable 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 15 IoCs
-
Adds Run key to start application 2 TTPs 20 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe"C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe"1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qve4w4xb\qve4w4xb.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC311.tmp" "c:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\CSC682ACEE1636E45D1B935829061461FE.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cibxvhjt\cibxvhjt.cmdline"5⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC477.tmp" "c:\Windows\System32\CSC842B41524054433789E9C773241214.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qowOLEDHcw.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Default User\WmiPrvSE.exe"C:\Users\Default User\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\audiodg.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Default\Cookies\lsass.exe"C:\Users\Default\Cookies\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A9CEB069-CE3B-4756-A35E-CC9C890DB11B} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5837aa56e06bd0a85791dddb333ea77b5
SHA1dd950a9f0c3aff977720d9e1770a2b4f2c84c5e9
SHA2564a6d5b0745a5faaa20edf412ddeee035979f3a357b7dc2c52d2d80610029b927
SHA512c27d9de8e13c0a52ca50d48ee1e7ecea4ea3131be200d02da4b03f089a9a9236ff817df775835f3e8d7e1f96e0d7f53beb5f2c3883ac41e066218f09655e37c6
-
Filesize
1KB
MD5388cdc9e362ec83d1e31af87147f6175
SHA1aeca3be28f64a148e5df4e3e5b45b74e0214a04a
SHA256ab2d35fe2839482d16c03106df7439d1b1141cc3ef79548e25393b0607e3c434
SHA5124e1b4147f1941dd921e972860422e820eb2a797183d91d7ae74941a89d48b8736c8a10153d06577cc5439666e205c1f013f2567a0fb2a1da487a6b05a6326212
-
Filesize
162B
MD59426f0c15f72620a0e79092a4cc73ecc
SHA1e534eda25af53544f4766d3daa7ac38f30c861e0
SHA256961dc8f909403843f605829b1c1e4b22f6f66f58a003863e9e533386a20f67de
SHA512114195c8ac941a8d2329b9793bca41acbe5b9737a4d8e0a8cca55461ca6eb2edd758e9882c5841ec07ff8edb9defcd2fb772ea42b17b987277cde86e2d997d83
-
Filesize
7KB
MD5eb6019cb60f3b62525f81b8fcfbeeb77
SHA1c5062bed5f7d1534696d3784629b7d1043768ea1
SHA2562995cf7aeb9cfaa7c9f94fca5d11cb64a943cda9bdf4e894b2affedbb0faf66a
SHA512dcbb2553170d4899f621c2cc33389fafe4a375f2bc328e8fbdfa32c9e107302cbe6e6dd6afe407e52082e6dd5be2c962d586bdd9c9e3add6726879f69def4782
-
Filesize
104B
MD5fbef3b76368e503dca520965bb79565f
SHA19a1a27526b8b9bdaae81c5301cd23eb613ea62ba
SHA256bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3
SHA5122b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5
-
Filesize
263B
MD5a05e26d89c5be7e2c6408b09cd05cf74
SHA1c24231c6301f499b35441615b63db6969a1762fd
SHA25605628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e
SHA5128c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d
-
Filesize
556KB
MD500c4245522082b7f87721f9a26e96ba4
SHA1993a8aa88436b6c62b74bb399c09b8d45d9fb85b
SHA256a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf
SHA512fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
48B
MD52fa8decc3dafe6f196f6c28769192e7c
SHA169f4e0cf41b927634a38b77a8816ca58c0bfb2de
SHA2567e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30
SHA512c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1
-
Filesize
227B
MD5d47062c8738a534fc931c0f341a61773
SHA1c1175037a0e96363da56bc9d8abdb726cddc74fc
SHA256484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a
SHA5129de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39
-
Filesize
1KB
MD570ebd87a449c83d0645ba22e10ab83e5
SHA15980251d5a46d81e6f48fe53ee04e87a28219015
SHA256b4713f585dbd4185833afeb466a2fbaa5c9d17071f9de2a1f0dfeec01b346c01
SHA512b44a0154a6c4b1f2af61046a0357b8018a5095262f0ec54e701f4bd46adcaad3e88bafe23567e49b845bd83578d0291bcff6a43351d6027ea02c9e1ead96ca66
-
Filesize
390B
MD53893688590f0dd7daeda3267c927911e
SHA1bb26a9b11885f6aa3cf3d047cd5da7b7a8e812d6
SHA2564774d765e6d810568b2370efb980a1fe4d4907373e8eb7bf89d3ed07604fd97c
SHA51259e20a44522754052b456f75ecaa74a83110a402c10b4953751909a653f6f4be577612f0624ea13bcf94f18b7f1bab0be1f99dd13b984cabf5f7e001be53414e
-
Filesize
235B
MD541ed59b666be285ae98cfe4e515e09cf
SHA11ed94e467e9c1aacb167a4b657f34f8a5c360111
SHA256ad2280a8e955377aca47671b135a6fed67309efa20cb5988466c28c1f7f05d49
SHA5128eb395dacbda69ae3d672264950ff04486fdbbdea8448b498acd843e472f1fcbda353ae2da689713b2c4baf79b5acfa44c83bd037f586b03537c59d90fb8747e
-
Filesize
417B
MD54e822b550486d4d709d1df2796309950
SHA176a5b84e932c38389389c5105b57fee148240073
SHA256e8c90fddfdba981a92b5b8c28d70fda356a8f28f83c224e3b37492aeff3bbf61
SHA5125c8407ac540582aa7d1b98262860d5de85da60d4bf2402e0a9b01e214ef027bf637cd53a83910bf2a660d38c3e998791f3954ec6071781600ec18a2fdd67a305
-
Filesize
262B
MD547af0ffc52a6e7b8c13167ff8e451d10
SHA1dbea4aa6846797d0a37414255581e2869b8c60ae
SHA256b2797bada38f8f24720e7dcca4a413a9f2e31c2d3aed89e0c9c79304f8a90eaf
SHA512b4593248d6b91477765d2ebd6f2caa3ff2bed7c20a8f83caf741d103df1c08a1b9a3217432fe4c63e2687774ab6b139333a3f03617397c7f6f208fd5bae2f49c
-
Filesize
1KB
MD58c85ef91c6071d33745325a8fa351c3e
SHA1e3311ceef28823eec99699cc35be27c94eca52d2
SHA2568db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41
SHA5122bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d
-
Filesize
1.6MB
MD5bc7804fca6dd09b4f16e86d80b8d28fa
SHA1a04800b90db1f435dd1ac723c054b14d6dd16c8a
SHA2561628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce
SHA5127534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c
-
Filesize
3.0MB
MD510e817a4d5e216279a8de8ed71c91044
SHA197c6fb42791be24d12bd74819ef67fa8f3d21724
SHA256c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2
SHA51234421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37
-
Filesize
4.6MB
MD5e8c32cc88db9fef57fd9e2bb6d20f70b
SHA1e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45
SHA256f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4
SHA512077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a
-
Filesize
1.3MB
MD552c95032ff8b8c3d4dfd98e51d8f6f58
SHA1e841a32cb07adaad4db35b1f87b5df6e019eb9af
SHA25639b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4
SHA512a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00
-
Filesize
112KB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
1.0MB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
3.0MB
-
Filesize
96KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.4MB
-
Filesize
72KB
-
Filesize
368KB
-
Filesize
56KB
-
Filesize
3.0MB
-
Filesize
10.0MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
3.0MB
-
Filesize
72KB
-
Filesize
312KB