Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
23-07-2024 00:51
General
-
Target
AsyncClient.exe
-
Size
66KB
-
MD5
63ea16bb999507c430e7133950d157d7
-
SHA1
e20dcfcf0c92a64a86bc48902c77d871aad52e15
-
SHA256
43138adeff58347b55fbb2d28d7ff2b5a240767ddbd15cb6c0e1f9e0bf72a2ec
-
SHA512
07f39923f30e09dfffb8d4b0e2507cbef3424c34cf8fae51ead6318c792f74c82c710fec376eebb20ad8fddd0f0cc1ccee6acabb8f865bc3898263010e26f986
-
SSDEEP
1536:D2wukvF1ak9gcKu5UYF4jieQCk2bHM+9ga+22d9rmTGBx:D2dkvF1ak9Ku5UYF4jihN2bH7d+F9Eyx
Malware Config
Extracted
asyncrat
| Edit by Vinom Rat
Default
saturday-surely.gl.at.ply.gg:30089
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat 41 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 26 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hovtpw.exe"C:\Users\Admin\AppData\Local\Temp\hovtpw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"5⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af6d6f1-f9ca-4dbf-a609-98d144ed2edc.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e1f8dd-97cb-4f6a-9b71-deeb13a58c21.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc6687f-f2bc-43de-a6e1-04931072f044.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4461f3b3-6d28-4382-8003-1fcb2a86aca2.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8932713-d21c-4794-8320-c78bcc57e234.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd1382d-f99f-4f08-b4af-05652643d859.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5164f896-c7fd-4c21-989e-894822c92a23.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8672ee9d-a884-4a9d-9357-ab783d420963.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d20064b3-254e-4656-8dee-0533aac2bc27.vbs"23⤵
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49516b22-2d31-4ca6-9ad0-fdaadfa4c08f.vbs"25⤵
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b75fa26b-52f3-41d0-9c23-63aa48b10c28.vbs"27⤵
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24efefe8-b486-4514-be8c-cf87eefd0ffe.vbs"29⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbdc79a6-34c7-45d4-bf5b-1e085d93bdea.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce276b3b-d015-42e9-b9b9-8cd94ca04a63.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e8bfd6-524a-4da8-9b30-93de92ee23da.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd7bae4f-2cbb-47c6-bc4b-18789a6598d4.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91da0304-79b1-4a4f-8b66-61296f12c575.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd549e5-a621-47fa-a15e-c1f4296a7b7e.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a437f6-7bf5-4c79-a2e7-4140a5b874ca.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590c719a-0822-4eaa-8462-4b9e480ce3d5.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d3cac1-6002-42f5-8054-09b57ada8e59.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2bb39b-3027-4232-abf5-bcda0f046a58.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d81f75b7-9b0b-4a0a-b900-a2c1a49e9b64.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2c4dd2-3fec-41e6-b803-627c7f7bab31.vbs"7⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\5iu40kon.inf2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""C:\ProgramData\Getscreen.exe"":close")2⤵
- Checks computer location settings
-
C:\ProgramData\Getscreen.exe"C:\ProgramData\Getscreen.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Getscreen.exe"C:\ProgramData\Getscreen.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\ProgramData\Getscreen.exe"C:\ProgramData\Getscreen.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -child4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Getscreen.exe"C:\ProgramData\Getscreen.exe" -elevate \\.\pipe\elevateGS512zgrdhgy1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5c062dc70bff732dc20a897cebb008b87
SHA174c0adcc331615fd53dedb96d0ca31c797dc2378
SHA25626ef17585f22d4c7c9862106dca31e3a5a0d95c129cb720ef03d62f9c3657a50
SHA5127f4d7f20c90cf99c3a29d5ca631fa07ee54cc2ca7d9669756ec0e18fe07291504c2b5172d417ace64897768fef4f2fca09d40475cd750eeee05e126bc886ef72
-
Filesize
424B
MD5530162f3e32bcbcb92237f56ff91097b
SHA19667059650d2c2e16b7b35349e0fa19055a352e5
SHA256bd9dc84a2a873be71ae236480d6ff89767a85e4a1b1eafa688623202ce83e206
SHA5122d5d899272e9001143881c1d1390e17d3e62dce2e51c1f878b3bb7f1510ba1dc041b135172708c04086d6553ce758719553086129ca1688441507acef7a5edb7
-
Filesize
1015B
MD5f63d0a0a9f4593a053bca2931b116c62
SHA12191443c5ef656ce5ee7372f8ed38d631539d1bb
SHA256e49010424338daa07747ad0994e97e1f2291594dd4c7d3cf687d710f75e145ad
SHA51267c55973b25de6628512d07341cc1c2398075a8f0b5bc88744872a7d32a2c1e22284803a74734a7f655561fc87bc1f39df9aa410bcc12b669cdf056927a17896
-
Filesize
1KB
MD57dabd40835be155860832729cbb2c5ad
SHA148891fc071d3d8ca95724cf6f6109007db2afbd6
SHA256ea6de481a6a2e748dbd62e4dd2b4e49808d57b5ca8b0f6bd50a57d559ede0dc6
SHA512ade93922b7a09731e1452f0d04b6a7c6aa83d2d1c48c4383db36b0d519e192ee6388b0473acb03ebccdfae66be1545e028fa8c67f0f4e03fbec0859b71169edf
-
Filesize
16.0MB
MD54b1b4e345cc5f2c368f3ac861ef9cf78
SHA159a6c0a73cb6e95ab5ff8575cb5777ee7945dd0c
SHA256ae8286341fde8f581c76ee67718d602efcc5d94de663d2054f9dca1a6195e987
SHA5122dd27dc84c14f7d88bee7494900a68149d6d7de1db768d92e6fc69263646f0e7a22dddb36aadb35d4176fa284b16d293356a0403e87b758e13b859a6368edc0d
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
771B
MD5ae5c260e68a3780650820fcd3e8bc52f
SHA13aecac11f526f1872f89dc61f8c4248d8c3887b0
SHA25677eed194856ca4695c8702f7ee8ce029afb0adbc652ff18eae124a61e1998664
SHA512937efa488a1f05a7a0934f99279fda6da547b702ba304f79c703c515184a9cbb31ef411a2bfd88e8451901c65a2b0c069d8f6f08e751b7f7ea2d24ab5410c96c
-
Filesize
772B
MD5eb0d08ae238c70e8faf1792e31b3e0f0
SHA1923e20cb4e32e2aa6038174f9c28a9003280ac23
SHA256a0cebbb097a2bd7809209f15828282e3d6060fe545e4938fdd91172c05d32302
SHA512bba932907bc87b68381407c1ea8fb979a45195d8cb2a87bf9b70243f25bb2c8b79b8a473f443bfd3f91492fb6e8e85261e6626834a25c7d037f5e9da6aaca6d3
-
Filesize
771B
MD538629e29206c5bdf7d9b9567d7459a90
SHA146134ec4257188bd18535fd4bead01a4dbec6c08
SHA2568fce4c76eb42345474399f204898fbeaef46b2cc533a23ab441b3aa82313667c
SHA51238ce0423f163283e8c3b2c52a1dcc5c47439250abc934adeee0b399f85c40e907db30025addbeb5edad95dd312b989e9adf69bcec25e7aa6208593cd1a406c05
-
Filesize
772B
MD5180c21b48e78014e95fb7d9806e0bca7
SHA1f5ab0214081fb27894dd10c182c3ef3c716a0888
SHA2561748bb0642b70641ca37903ccad50580999d37c4efe0dffa72644ffb20a563fc
SHA5124001abd8f3d5d7a1b82e89ad1fb41afc08de10b021e827afa95597d1d9d162d0125a5782126499394b2164232ebb46d665c7a97e6a87fc694dbcbcbe2e815c38
-
Filesize
772B
MD598af5a3d746dff3c8dce0380252fa5a7
SHA1972a2e87984aaeea068aac45c1a22c5c24b0803d
SHA25661bc139e5091860ca5eb5c3dc1782de042ee72b3b9ef7313d24822222215c6e0
SHA5126e670e109774421b2e15164ebc3d50ddc0c9737aee90b16b630dca85365171a6b4ef324343084c3e2063e98a734a11b7448f89296977dedfd88d4a4d28936fa1
-
Filesize
548B
MD54d37681a2eb712b037c5cc13868962e8
SHA1ad323cc1e1d325015fb48aa9c63c7e5222fc5f6f
SHA25639f56be7b00f2ee167e012350e558b745f739480cd2f7db1cd4a6a78b5083a3f
SHA51284b586789502a93122b2e07d1594bb74bb6f7291bad36c7bfa535ee594f88c7866b81322b35f4bca6bb6ab87a3a3f1938734040966c0b235d68fc082d2dae3f6
-
Filesize
772B
MD59fb74fb2a458a36dd977241d404f0d5f
SHA1e15eec37e08ce76baf459ba45ac70033c3df901f
SHA256cc92109fe2998948cdcd6358227080911620eb7f41c9b9908b5d50aebd944fa4
SHA5129d59dffc24311e669660b9edd1bcaaa0587d84481b47313f4cf305ec1261d349bfbdda62c86c8b637b2609111de5eaa92654046e3e0d9349d81e8ec1c29f4738
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
772B
MD5ca4edc37211c68e51c2cc8ebaa3f86a9
SHA1e8e9a0576d3836bd4aa7ebaa89fbd5d6960021c6
SHA2564b09a39ee1b3fdc6008e60aadea4e75c9f98e2898046bf68f319ca680233a0ed
SHA512a97e1aafdd9e74035d993f99923b938d4673affff2fb43e3d89536daab915149fddf4e1a071dd22e2ad688e0bce59f65a6c7654151ef335c463fea53821e7cb8
-
Filesize
772B
MD55d8a59058b4cecdfb64ec67c2158db13
SHA1ba24589181db54b47a88f2e4940d673853471367
SHA256528f5cc8d31e776bb95e8d849f7af056a653b68903a492acc7831623d0cd88f0
SHA51289f7c1428bffc2ee7f9c2373f766f8cab669a9972f717a2a89f7f24bd3477769e9366adaaa5ed8cabd5a1719c49896578532d5739ef281af7e6bd95c5976265b
-
Filesize
771B
MD57f11ffeefc2a9f84848222f606948290
SHA13b7fd74cbb705e1ee3e4638bef096afb9082c7a0
SHA256c4f68d0c1c7000e9cc7f6745f1b39f0ab7ebb391662e6cdce147bbfc1f2a285b
SHA51219c3e51dcaf0f0d16d3ba328fbc4cec1aacdfefa520f91046d8e503156f196c2282ed5428b5b122c21df4df9679425ac076fc13a1a75dfcc582f16f53176def3
-
Filesize
772B
MD592789aad6190d52d7ded87a3c58a16e4
SHA13b90fb743351980de2dc4bfe9752bfa67305d09f
SHA25631ad2ab974f4775e51158722783a78891a586d8f4d910364389770e7c69f2ab7
SHA512de5bd20a29fdcbcce122adc4ce7a301c7c6b5fede46f0e9a52c4bfa48c5cb8669db51883edc8b97d76644ccdc94700d0f86beb37c2bc3aea1ac9e290c799cf40
-
Filesize
772B
MD5c414c16115e3288089e737f508955387
SHA153409771eccf217df6a7d7fb00e33f9c9b592f6b
SHA256bb86f2dd119a51a66b259235d01c5d6c51e35ceb83515ee5fefacaefda3d6667
SHA51276e92959969c81c6a2d5b438c455a883d6a29dc7c06a0920ed7adba49d23721d929ea4530ec7c98c966d8f403b36a07d0971678d90303379cf80685f8120545e
-
Filesize
1.9MB
MD59c49f8ab036331a19ab63f9aff82db38
SHA1a27f11d48f1428b8efb5384f779f355271cc8877
SHA256c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
SHA5122a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd
-
Filesize
38B
MD56c77726beb17fe13c44cbc3312d1ca54
SHA1919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA5125089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4
-
Filesize
1.4MB
MD5f1ca585436d62720be1c8d7f24fb773f
SHA13687e578f150e45aa5194f9c485b221459f0f454
SHA256dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA5129e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc
-
Filesize
209B
MD52febca5513bbb1d2fb14b29bd4998314
SHA15fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA51260a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c
-
Filesize
12KB
MD55f43e657d0898672ad25bc085ad29725
SHA10438646f3c8e8243da282614b54f85741d720f27
SHA256d2ff9bf64b5a303063b4246b31bbc82a0f9e6b01d8456ebcdbd399f694118a2a
SHA512902bf5c2adabf1d1b6b97c1aa8bc54326248aa4ed64a033cfec82552d68b25e6a4384793fa01026ed892934fbb947ada59eec700f7bbc77fa98cc0bcb6da04b7
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.4MB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
136KB
-
Filesize
88KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
264KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
144KB
-
Filesize
408KB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
28.0MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
304KB