Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 03:03
General
-
Target
Bh2PmThP.exe
-
Size
1.7MB
-
MD5
475d2e67ce84a513bd0a1757becc2018
-
SHA1
8322b7bc21b0114b453812035ef643cf532bdf6c
-
SHA256
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
-
SHA512
0d2277d90853216485a261380727171aa8d2c530ba0d1ce6372f6971d16c37a3ac22196f1fe5c9a9dedd930aee302edfab3e5e89450a6d038bcc98e0af70aedd
-
SSDEEP
24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
Malware Config
Signatures
-
DcRat 47 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 30 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bh2PmThP.exe"C:\Users\Admin\AppData\Local\Temp\Bh2PmThP.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BkFKqKatcS.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Bh2PmThP.exe"C:\Users\Admin\AppData\Local\Temp\Bh2PmThP.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a7aaa10-b253-4e31-8b70-853d7bdc5633.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ad3d66b-c099-4e2d-b4e2-ee612c66afbb.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5dc00c6-f1da-41a0-a5d6-ef933ae4aef8.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dacf077-affd-4a46-9580-ead9269f1e1c.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43efc9ab-98b4-442a-8d3b-c2134204bbb0.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23458244-656c-4272-9f1e-08ce1b41f82c.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61fc0aa3-090e-4873-bb44-42eece380d85.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f8c43a-bbef-4138-8e5e-88cf63b39799.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82f3dacf-f2e2-47bd-94ef-eabff5ae4469.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39478d67-464a-489b-b75e-e450bc342ac1.vbs"23⤵
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\407b7470-40ef-46a6-aac4-f214de5bad1e.vbs"25⤵
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f594a0e7-c32d-48d3-9206-e25b9bf7b88d.vbs"27⤵
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cff71e7-5d87-41d1-827d-67267d1f3fba.vbs"29⤵
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\630c9cb5-d932-4eaf-8422-1dd4bb5b06c6.vbs"31⤵
-
C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c24e744-509f-425b-bc0e-1352136c0172.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28aaad71-75df-4fa3-b73e-af567e01a465.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30941e77-e7cc-4422-bb2a-775b78b2d1d7.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37d02b61-9d8f-4c39-9a79-ee08a97fa1c6.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\925caf10-bd62-47d4-aef8-d4b332f0f583.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3db1a5bb-0d6b-4639-a159-dea95d0116ee.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd1dbc3e-1acf-48ed-b882-5ad8b739ad7d.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cebffce6-7d7e-4663-8c98-59bd2197024c.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec552408-cb1a-44fd-8b26-1205b793f55f.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee19a5bf-66ca-4d6d-9eff-cb919f400b9d.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b62e15-53e6-4f00-8a87-fa8f7f66b9ba.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074ad829-987c-4beb-8ed2-d30cf7a80f20.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5a5938-1ccb-416a-b90b-8e08bbd4caed.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0bfc38f-58da-47aa-b67b-d84224d49b6d.vbs"5⤵
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\bg-BG\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\bg-BG\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5475d2e67ce84a513bd0a1757becc2018
SHA18322b7bc21b0114b453812035ef643cf532bdf6c
SHA256158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
SHA5120d2277d90853216485a261380727171aa8d2c530ba0d1ce6372f6971d16c37a3ac22196f1fe5c9a9dedd930aee302edfab3e5e89450a6d038bcc98e0af70aedd
-
Filesize
1KB
MD5c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA120c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
731B
MD58c513a26e341f0a6b3bb483f56304386
SHA1c2b3204e931f6579c6279fc8bfb18044f4865a94
SHA256cc05fc487d69f9512e01133b961dd0b084c40c364510a67cb8fbd762c1a974b2
SHA512b76d5e7ab34205d5b4e91e8a431119a1d66f49d3c752767f6a32fcf3729b9ab186d5c5bb3f36af6fd5680e7ba231ee6d77bec23c6944c42d38bd5719608c34a9
-
Filesize
731B
MD55f89afa32a55ea9c970b0071567b80be
SHA1cea5d15176deb3819f9e3b6f6e22d4ac45d15995
SHA2562133c3fe4d957e588470a854c20475946ba7ba24a97cb91efcbe644b28e341ef
SHA5129a5233cae89e03e0413063ca3f91f3630b9113392c35adbe6a7703bc82f4418afe796c7597561f193a1944874583bc6d20d24bdc69230e3c9b12e5d3f18a3f89
-
Filesize
731B
MD587a4e0a5f71e0ba79d16b4eb9b72122b
SHA15405673d8298e8c5f4ed90307742c5c9fc9cf274
SHA25601d08366a51263df45e10609bbe339cf4e3f6819096ec198865af543e73392a6
SHA5122b05280e38580ed9578245584d564220e22fc4ffb8fbb416ffa25056e05128742f95f674531fcdc2126b6c24186f668ffdd579519963b11f5b9d3a2fb26c2531
-
Filesize
731B
MD53c3d552eeb5a14fa062a8a94206e018f
SHA198a13b89dd70720b1a36a89281a5e7738534a79e
SHA2569ea300900fd3c9e258454f880e45b95416114971d031d64c10192769bac1bfa6
SHA51226811552ad27cd56c524d52a3ace3951becc8b4069f9e35f463b0e2b1e93ef58085ee72ff95179fe6b9aa3303ef6a9cad16233b2600f847fe21abc055f09a2f9
-
Filesize
731B
MD5b24d1aeda9ce00603a2033f218af6917
SHA15c5834ff13d46d0bf68e8fff63bdc58b3bb710db
SHA2569c851060ca0ea7cc682e6c0de16afde9573528baaea375f8d30cdc8a0f90b703
SHA5122b26ed8f5d64b67fb7fb21b2fd6b0513e02dc06be2b46d5e01ebfaff05c0709d4a3dcb60f052f1bf487f66b9125083b7d6e7ec2105035b999fd0cc43b7497a09
-
Filesize
731B
MD51fda84e597f972aa128ef55648b6cef9
SHA10cd8c974aa4631c77d58e7fa8ec2497c240daadb
SHA256e0a3e2377bc2b96df316168ff80e79b9693bfd5cde2d104bb18bb6e6f18635a0
SHA51212dc4eab07076281a5a752b488c065e0015e7ca9eda2003903ee844cac7b603ef7780109cd73beb6428d237a323e2f5cc65f226030ef17009ccc6b382749e9b0
-
Filesize
730B
MD5e3c03c4e6b5ee283c899ba04b6de2a9a
SHA17dc732c32e6f3fc33f3ae39e15f050e60a69b090
SHA256a7b38d59e4b276eef915ea623db690c036bda0579fb5fc6bffa8ec966896a72d
SHA512a59e879e943449d69f46ed57a9b2ae24133fb166fba1e8a8321f1f24acfde61b093edb7ce92f53284be786afc738990760a018baed7fe0de2cea0399bece0c3d
-
Filesize
730B
MD5f92a994fc54a9b8aa8f4487beedeb2cc
SHA15f6fec251b18d7a3dc9aa9abb6218adb7978eb58
SHA256f7cb3438fd5e018fb8d6b677d8e81b2995b65ad14b8285f5806dc96821468f22
SHA512a02b4638d4997a526abf1edf2f62db61e500630f852a3a13cb9ff716b87dab0b9f218e6af8ec63142bec9b0efaacd5381107cad7730c8e41b1a846edeaac292e
-
Filesize
731B
MD5c55e34a8a7ab08e285952ff6c3c88f69
SHA1b3880d071021595e648c929bac1e739376fe2be2
SHA25686f8981dc1343e27a332832fea8ead77d7ca70a8b6c01a7c04b2d2747a018be3
SHA512c0017bcaa032927e3a57bf23b863cc9721c8e11ae1b3830e6d213e6f956c5980e640b56cbcceda13e8181e9f32b7b99b70ba91c88a43078cbe235631420a501f
-
Filesize
731B
MD549ed075280582442c6a6801879304398
SHA1f0255ae1a0f8582d3524a85b1d505fdc1aae9ccb
SHA25619332a4db3eb5c4a61cd972b336c53279ff33daded20c2d5496f9fcb9e2a68ee
SHA512b52ae3993aa0fb4904ad5752e0c028dac41eae769f9b6d4ced437957a7c7aabb36da7c161d8c13d8b0c3cdaf48ae560694508cd4e39d1e7903da75b56e4df869
-
Filesize
731B
MD55307071441ebf85cb9c8a12d8cd073a4
SHA1d92a5c42e30104409c2c27520954071f82dad696
SHA256d05a44ea1b51e61903884ab004e6c70c6c28fe10deab5d7ca708cabf7ed603e0
SHA5128ad9f98a636e3559bbb3ff6ed55b0fc1fd397a10fbc3e6d5c2553fbdcacb270589cba6f11a8cad5173ae06e8bcd35f5d488737b9071a5a1b6e9eb1dd1dfb67d9
-
Filesize
731B
MD525ccf2b8a51b20d1c90a8e73c9bd088d
SHA1f3551b36e786eb0ffe74b1157998b50a367916bb
SHA25621a59621e9659bfbf9752362fdf244d25ff7b2de613648ee6c76fd53e182d9bb
SHA5128946f982d6e64909797092b293e435ae3c5e2cec75f877ffb85636b33f948a5b1f1e91bffcd31baf13a876250c9b97147c0617c008b60c670854f8a5aeb54dd9
-
Filesize
211B
MD5ad27b47f279cce756e9c26b23139ed92
SHA1e60fd8598577f906cb95efbef04335c36d4a4e33
SHA256614240eca39da6ac104664e0e38afcefa94ef64aa8044425d6724f9b649e5c85
SHA5120b10113f8469c181f3ab5207d712c761c2f73a323f71e290338c552f691f2056d43cee61e5ba829c684643824746fb8f206ac4289b0c1e508a37545256290ff9
-
Filesize
731B
MD576eb93fa7cfdf91ceb0f99525858338e
SHA155932aa7501eabed35c3dfbce8f32394d28ccd4d
SHA2564e77231305948bb9dbae45a0e31e56bdfbab25e3a6ac732eb917eb4af7b5e943
SHA5128d362782750fa36e99ca7e7c1f1daefb6d58f0df4c776bf4ef6f107c90fdc0c4b7719af9959b8db50cfc6d34be3365ec6bd55f54a42af7ba7a01b87b9acc3454
-
Filesize
507B
MD5ab1c191638b986936d5ca5b6ff7c31d6
SHA19b683d89393f87ba0fca45d4a20b7e4904c910b9
SHA2567b228ea9b15a2abdcde3f762755359319d26741c537ce15db7b94f3623b7c3c2
SHA51295be385e8bbfca4e3016c300eb933b78b0ec5abc9f70ea22a3cbb324aa66d9ab4d3c75c3ded590983a9dd225952427a4876f63afcc33065b3122f227da0b385a
-
Filesize
731B
MD5dfba248579e65b8588aca0d4e5293c8d
SHA10761f7f91b0acca2e67e278768755ba2f9d40189
SHA2567c454dc0da42505987346aeb3199a3cc81f8c814ec42b910c51482e3a728275d
SHA512ac6b3f7bbb447f0954148b4514859a99a600bc808b1f3752efa24a297aadd258141bde06865d257f30f0435d19ce40925c82dbc5e5da35f8be4fed35ac0f7709
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
1.7MB