Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/10/2024, 03:39
General
-
Target
77FFFEE187FABB45FFC7219D421EA83F.exe
-
Size
1.4MB
-
MD5
77fffee187fabb45ffc7219d421ea83f
-
SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c
-
SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
-
SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
SSDEEP
24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx
Score
10/10
Malware Config
Signatures
-
DcRat 58 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 51 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 38 IoCs
-
Checks whether UAC is enabled 1 TTPs 34 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\backgroundTaskHost.exe"C:\Users\Admin\AppData\backgroundTaskHost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4471f54d-3eb9-4a7b-ae66-48a4e643b8e3.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c2c886b-d406-41ef-bf7b-7cd22484a901.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d08c7773-74d7-476f-8511-a00ed999dd5a.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd0358f-5019-4910-bf6f-ff144087c1b3.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a47575b-a80d-462c-b938-123e26a0e9db.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2726e532-8146-4a63-8f00-e04262f182fc.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16973d7c-1c3e-4b68-8a41-582e98c79853.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58dc4b64-1828-4b8b-9533-25b2f5361273.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2df7faee-a283-4216-bfdc-29d0d6f209ae.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8d1fddb-b72d-4197-a786-a04061570b8e.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b41fcd20-fdb4-4dee-94d6-223a0511bb4e.vbs"23⤵
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\758d1f4a-e7b4-4673-9958-b853c4b63397.vbs"25⤵
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\717a02ee-8eda-41b7-80f0-fc636a6c09e3.vbs"27⤵
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f7669a-5bf8-4dce-8e17-b9daaf982bc7.vbs"29⤵
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48dbe766-b543-4950-a37e-15ed077dcc49.vbs"31⤵
-
C:\Users\Admin\AppData\backgroundTaskHost.exeC:\Users\Admin\AppData\backgroundTaskHost.exe32⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0df0d484-5cf6-4d88-b91b-5fbfc285be56.vbs"33⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a17e3065-4d25-4f8d-b862-eee2c133946c.vbs"33⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd2f4c0-cce6-4db3-9b7c-68334c847acf.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023f887a-daa2-45ac-b1e4-11e46178fe73.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3870e9-48fa-4c41-83ad-73686c99f0b2.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e1074d2-95b1-4459-9242-5b14aaf08227.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2d82ba-057f-4014-885a-d70f7187fb73.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3109a323-5218-4f5d-b878-6847334e79a3.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82096e7a-98ef-4df6-ad38-5b0614e39f45.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e02ca6ad-11b2-428b-9a63-1c6987ebfeb3.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ab91266-8065-4732-9f60-bbea00046b1e.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e052168-abb9-4090-9d79-3ed1a8409b06.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88cfa550-b90c-4dd7-b43c-49c9c829e47e.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b329a2a1-b547-4d14-a9b9-6c34d0f086b9.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce6a7c8-029c-4284-874b-67cfc4a16c68.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e42886-f114-4346-b6d5-b44eaff48239.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae368ca-e777-46ff-9533-ba421e94f378.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\MusNotification.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\77FFFEE187FABB45FFC7219D421EA83F.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\77FFFEE187FABB45FFC7219D421EA83F.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\en-US\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\apppatch\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
721B
MD565850a605cbf15a77a94ae8497081d4d
SHA1517518802154ad9e940c609339dc98192ef57267
SHA256fabbcc68ecfebdc12431dc877201bfa3e18e76174c5168f5627f344f5bdd3da4
SHA5125415f9d412560b2e447fbb6ac36b2fe7eda876a8687698116a0811c38d44bf2524dc10adeaa4a4f90afc5ff4b7ca07cf6e490fbccc4ea671c53cdf4b5c17fdc8
-
Filesize
721B
MD55760d4315ab3bce5cc86631d70a10831
SHA1a1fc32017a7bbbcad69418f16c2632624b87f1c9
SHA2568a8a3ca0b8c358e371166d2509ab95209e8eb39d68440479c07746535fe7d11f
SHA51253ce04955a150cd26659cb3cd3a6c7b712ad402efb4a2062ee75c76335226417abd8713abcb6f466cb00705711a22664b6b88789ceed7bb5bbf933c6983442ff
-
Filesize
721B
MD57f023118f685b79131055f60b3909c85
SHA1f29efbdf91533b3ec8528092e31d95d62ca36701
SHA2564137cc0ccdcc85848098e0e96fc79b6e34b075be529f3de8a06435a464ac7bde
SHA5123082cc1e77bd133c77eecafbc419c69141a2e19d7452fd378dd34752da93e17fa1a858c2cf1434140e5f72cee5aba49fc707eac7e3aa0494dc7de32019db6dd4
-
Filesize
721B
MD5fcdc68567baa6272815be8f8feca5577
SHA13fe653796525bbe85e1de56ec87bd77edaf239fe
SHA256e8d7c00a8737d91dfb5f21e035a89a5d68efb962bbf35a99283b992a0993b1ed
SHA51223cb34d449f96e67f9ca630845179f4a804c1660192ba39414d2175cb15ac22404a7575b8c5788511772807650f3e8071960e3f7ea30e181799ca49d96434f5a
-
Filesize
721B
MD5bf5d4b53f501c1c8c8d6790eed25ec7b
SHA18dfb179bbc0e4c528dbaadf92e10b76c425d9241
SHA256a54c6a7360cc3641a00f2183d8ea66c7f924cbe56c15f82bd97cb26bea18cdd4
SHA5128fca6708ddd6f44825a10a7477ed912e268790b239e17a23fb5350d1557996daf88e8ecd80b355e9bf7a34e84652354e51145e1a0240ba4c8f3d3c4fec45c3fd
-
Filesize
721B
MD5d99d1aa369fd0b083fde14597ba92bb2
SHA196fe34ac5a484506d2e57a322cf6ee7c42a37a14
SHA25620970f6edee7b38f7abaad6b5332b2b3360f4c786b0456ae35fbf33efc74bd36
SHA5123afd659a3e83b870f4acde52a0c20c4990bbeb859f97dde8ee9ed956535225ae117eef40a83a0757e90912cb68650ce0d865d79d27bf3d5c17f9383ea93f30b6
-
Filesize
718B
MD50d80a47ad0bf29c1a10c27e884685488
SHA18d76e9cfec4385e95fa94664a102b6ec0c185e40
SHA256703893bee75d54444f2f68ecee6831bd418d1d091ae1115b2252ba0b76382689
SHA51271b11f4bfd08b6c13421fc4bd2d0b83f8f7a00f49ddc6f96f415efd3142c0ffe241f0de96240e75edf367883b2c2e0a6004aff03fd9eea4387a3f94b2cbc38f7
-
Filesize
721B
MD5f89bd4c8dce12bbd9f44463fddd2f4c8
SHA1d8a221e880b357684b3ebabfe3bcc2d5722e7eae
SHA256007db34ba5f1406169f5dd4fff1f5e1a0af97aa7bb36a2c82aaed486a9214197
SHA5124997bdb99306fbd5e84ffad814aa98a6120dbfdb6c1ed8f3354805aef2b62b3a9432c458e007c6c6b936e9f3c4e060b381622941ce12fb8cc7b741ea2c82f6dd
-
Filesize
721B
MD5bc6f82d93311f02f08dc6b7d448185a0
SHA17caab21524a3379862b9e6abe18c08fac9418f96
SHA2563e3a6c9647044e83beb8c4db610ce2f28c27d81e66e63b11b2eead2d565a6c58
SHA512f975c761298a7033b79143f70acaf1001e02aed7f64b07edfdc4c1816b84126b2c6721e3ce00c46f1af23d067b6451e1857de2dbb03a2f36170c86e21a6cbb1d
-
Filesize
721B
MD5a35bc355991613cf21ca3b9bbcd3c467
SHA193b53e7c65c124ff3c57b4b285d0b737792df3d4
SHA256fb30c6164c54b39bcbcb71b99ab3b12c1ac6d4233936e72a2893c33b3b850a1e
SHA5123251c6ea95cd8e8519462a8ddfd09de33b0dc5cb75bc2505836970f009b2114584a772d57fd910e4467f607e94de3ced3d04f231de81392deb60460cd50a7b85
-
Filesize
497B
MD59f348b1b435160f23e01693bdba2af5f
SHA13d1e09822137fe97f846f3dba6b3c52de50916a6
SHA25629e5bc74b75d5e4d37200c96fc771cc95aea5664df363ece045ed9f83f69fe57
SHA5122afaa9877674dc3a91fdfdbde094643586cfd09283bc3a1d2043ebe3b4d798495aa5a5cd43c49a3ce3ec50a197631ddceea9157b3015c497080600a3bc07bfa5
-
Filesize
721B
MD5a5c1028c7b40b3db73f1f2cea1edd3d7
SHA18ca57690e5f7a5f5fddbf71071457f152cbf9e13
SHA25666681025894cf8caf11358f1243b4a433973b5128c58dc4daa7a65db9cd3ddbc
SHA512043be04c54cd0a2f9d76d7d487d9fbc6876d114a5f8a2fb3e1e937a5674947b39417dd3fe49e7a26106a52d76dcf380fd7356ccaa97d1fc69bcb8e5d19281fb4
-
Filesize
721B
MD5531da651f89f83088f9578690b6c8fad
SHA1d953aac36912bf151bb03ec7d938b27597126e6b
SHA256ad663bfd710e4bf151c2e2aafe0d3f7a892a6c83453c46e393a85f0f9584c9b9
SHA5122ad29f24356a51478e87503204867bfdd95217446e613e82f007eb35bf4c8fa2cb357be7a7f0c173f83393e4f9ac01287829378d22f1071e24c7fa7149bab22a
-
Filesize
721B
MD54d91455d68bda9d4d57e47d97c6a9e2d
SHA103d8555514e03bd3615c92c607e0e1bf28eb263c
SHA256632751835e74f9d63facc4ff4092b8e562faba9d6a2ad64065306c9fe24c68b4
SHA512a509328659ba6e826a502284a80bd68c6c14d17b29a2cdcee1e3e90257dc582e46ba3fc29f182e41dd6ab227eba87dedec99c3754453e386338d3c4fb33acabf
-
Filesize
721B
MD585782e83efb318fa06d8c5f6b4a18654
SHA1ff2dc5671c5a1d829026d2ce55d3037f99e88eac
SHA2562694c16863a787a3025b5c7aac9156a071c40c27fd8c3f7314e89ba806db0b04
SHA512e5058954a6eb15f5ca421ed2aff93f2ebfa5c51d473f3f3184e5b87b30de4a7a630902028e384a9aa811ee4804f14bee4591a5edebd7bf6620d81d3252e860d3
-
Filesize
720B
MD56c58fb840571cb74242a4905387800be
SHA1b02d91feae284cb0698415d1870bb9b5696f93e9
SHA256b179d520a27a17567e6e34642941149199673298b4a2998bd056a1c3befa868a
SHA512047b06bac8fe44b1643f236bff3e3e90b3f6108e173c9d72f7219bb3ce7a8308b9cb02e71124346bda30f79545e95856a644e1a406f39b69cfc9d00ce424ad90
-
Filesize
1.4MB
MD577fffee187fabb45ffc7219d421ea83f
SHA13f21e5a79d674131678ac5de8eaf30bbfcbb177c
SHA256272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
SHA5123c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.4MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
72KB