Overview

overview

10

Static

static

10

6f1b10a1c1...1N.exe

windows7-x64

10

6f1b10a1c1...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f1b10a1c174cb19fe8f439044e6f447a22f357878f8b65d3e0593aab67672d1N.exe

  • Size

    2.7MB

  • MD5

    730fee3e3541f5fbf39bad2dc667ea70

  • SHA1

    0171c24593ec0a6bcf7905b8daeb232f5adc03cd

  • SHA256

    6f1b10a1c174cb19fe8f439044e6f447a22f357878f8b65d3e0593aab67672d1

  • SHA512

    aa638822f7bb6d1ab7debc5816c4dac21885716a159777a91caec748f9a21746731596bc39378c6323d168ff2d55ac610e385caf34cf2ed50488a2db2408c89c

  • SSDEEP

    49152:7bA3jfxSks5WqWk9IEJKb9aUgXXNOUnkonLxB5ctEC:7bwsgql9hJfUgX8+vc6

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f1b10a1c174cb19fe8f439044e6f447a22f357878f8b65d3e0593aab67672d1N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f1b10a1c174cb19fe8f439044e6f447a22f357878f8b65d3e0593aab67672d1N.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MsSession\Ov1RwD.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\MsSession\K37wJmF1HmUF8ALyjA8MpCp.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\MsSession\hyperComwin.exe
            "C:\MsSession\hyperComwin.exe"
            5⤵
            • DcRat
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3580
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kitFqHqIkB.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3948
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:792
                • C:\MsSession\hyperComwin.exe
                  "C:\MsSession\hyperComwin.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pKsc3QO4vZ.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2064
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3312
                      • C:\MsSession\SearchApp.exe
                        "C:\MsSession\SearchApp.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:700
        • C:\Users\Admin\AppData\Local\Temp\explorer.exe
          "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4156
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\upfc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\upfc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\dwm.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:5072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\WaaSMedicAgent.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperComwinh" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\hyperComwin.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperComwin" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\hyperComwin.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperComwinh" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\hyperComwin.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:1028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\legal\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\legal\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MsSession\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MsSession\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MsSession\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\MsSession\SearchApp.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\MsSession\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\MsSession\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3340
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\upfc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\upfc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\upfc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\MsSession\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\MsSession\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\MsSession\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MsSession\dwm.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:1064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MsSession\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MsSession\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MsSession\K37wJmF1HmUF8ALyjA8MpCp.bat
        Filesize

        30B

        MD5

        fa3ead269fc71745ff9e202da56f658e

        SHA1

        5d2662e79f1e992c0c9f72c050cc676df0f3cdde

        SHA256

        1cf1a92d3e3ce17a13d4827deb0cdb9f89a40116905980b547d7f954d59040a7

        SHA512

        9e3c2ea4326648905360005b2aa95fb0e0935dc641b32af56446abf2bd69e9749c92f22e6eab4240da6505ffee6c1c3f5ed4ab6ac945f59fee2835aa2f9ec347

        Download Submit

      • C:\MsSession\Ov1RwD.vbe
        Filesize

        209B

        MD5

        f5a3f2ada233639fa06802ff18569f99

        SHA1

        da11e9ad7bda556c74204c32691f3ec5efe8b6a5

        SHA256

        3558ba240c76b6de27cdc3ac9370d6b50774aa2d5d5e3fe6a697e971e832aef9

        SHA512

        ab223924c713a6551ded2a1e86d70533d7c1b8d5155f0d12b3b9e7fbc928ead6c452d3112484a6974b3be94b937a333d2b5f3f8852b0a21793d160689aca3ba9

        Download Submit

      • C:\MsSession\hyperComwin.exe
        Filesize

        2.3MB

        MD5

        82fcc473fb802d134540a4d3bc9ddc06

        SHA1

        d879feb817639baeeef685261d8574ab7944f8b2

        SHA256

        f6cf6f23a7d27460b34f9ead8e72584a706ae1e986f3fa3920c51fbd0d6f93d0

        SHA512

        6a67c4b0d98c04c8a86bdd7d3f6f72e1b0f7e3718c58c22a30004ac55c60dc53a36fc764bdee79d8aab981b863c203992abbaaaca788d200c9456ff3d0319cf2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperComwin.exe.log
        Filesize

        1KB

        MD5

        bbb951a34b516b66451218a3ec3b0ae1

        SHA1

        7393835a2476ae655916e0a9687eeaba3ee876e9

        SHA256

        eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

        SHA512

        63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\explorer.exe
        Filesize

        130KB

        MD5

        f27a284ef9b018cdd2a98a7b78ccdcb3

        SHA1

        67e260b11e6227c18cae8925b4f6899103c607f2

        SHA256

        af86dc3f76d39b67b967a3b714e9e70ed43eec8d3871e9691cb45d84372b53fb

        SHA512

        9a8811f13517748539308a70933b126a3348407f397bf30f903019379f927532c64015853b94acf21bdbc554d638a0265d4394d026e289103db06fe93fe5524b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kitFqHqIkB.bat
        Filesize

        193B

        MD5

        137f52a198dcf2c68202b78e53d98415

        SHA1

        4d5ab755b399df32f717d680f0abb50344a3edc1

        SHA256

        bfe668ce06432b776963d4d84736b2b2d7523ee5a536500f8a3a1d5099363106

        SHA512

        a37256f164ccca4c89d9b6585d3faaa7d2693108a9b0c0f0a736204e2e89257732d7ddf407320734e71721dd4d8928a872ceec1a15ace75c4c5bd9b159e6bfcb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pKsc3QO4vZ.bat
        Filesize

        191B

        MD5

        1b4577c91bd0254cc5d9c35507c42c25

        SHA1

        8c25e5960d718a51419b6c65cffa3805108e63aa

        SHA256

        0231c3e4dad3db75ab374ae3a0f862479469e408639733bf724b3a97d6509d32

        SHA512

        1aa7c9dbb5aa3609a6d3469d4810d8ceb0aff55c8e49a3e817a34510c7b63295cf6b86527543e657cc585e6bdcaec21554c2ce5e0a428357d3f4439329d6821f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        2.6MB

        MD5

        eb81df2c7222c48ef46c781d460c83b9

        SHA1

        c7fe4682e2c1bc5cc55c2913600f8950fe955129

        SHA256

        1594a7f6707f01d3f1688f726af842940fe96fe700f99df23a3d8ec6909e4b13

        SHA512

        6ce26f9d1f1f8f10d8dae13132217ca8aa2d42e98475ee0543f1cdd35f0a06f824f5ef8ab0db03b25c15041560464aa73c545d91d13d6fda72131c7ccc2c7c5b

        Download Submit

      • memory/700-107-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/700-106-0x00000000023C0000-0x0000000002416000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2784-63-0x000000001BBA0000-0x000000001BBB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3580-37-0x000000001B820000-0x000000001B870000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3580-39-0x00000000027A0000-0x00000000027F6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/3580-40-0x00000000027F0000-0x0000000002802000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3580-41-0x000000001C120000-0x000000001C648000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3580-42-0x0000000002800000-0x000000000280E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3580-38-0x0000000002780000-0x0000000002796000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3580-36-0x0000000002750000-0x000000000276C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3580-35-0x0000000000400000-0x000000000064E000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/3940-0-0x000000007480E000-0x000000007480F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3940-2-0x00000000055E0000-0x000000000567C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3940-1-0x0000000000920000-0x0000000000BE0000-memory.dmp

        Filesize

        2.8MB

        Download