Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 02:25
General
-
Target
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
-
Size
1.4MB
-
MD5
181d043c0617914801548f09d5b776d4
-
SHA1
757f042065a3dc2c9f73e635b41f83591c8ad647
-
SHA256
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
-
SHA512
c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
-
SSDEEP
24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV
Score
10/10
Malware Config
Signatures
-
DcRat 56 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 36 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe"C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kAPuqzhMGP.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aff566d1-e65c-42e5-8bd6-efdf3e3ca4c5.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52db4f62-e7ed-48ce-a3c2-d75318427712.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c9273d-0b39-4bf5-9e48-4f7b284d520f.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f8968bd-3835-4efc-94a0-b06be3eb0e83.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e496e1-2010-4e49-b65a-5b621567378c.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69403930-5ba0-4822-8d5c-5d0dd0de775f.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54823048-3ccc-4a21-997a-2a4a68d04ce6.vbs"16⤵
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d2f58c-13b8-43ad-9917-671692360d86.vbs"18⤵
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd6ca9d-74b7-4a70-ae0e-578a1943ed7e.vbs"20⤵
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73945727-0939-4350-9213-bca2eabc186f.vbs"22⤵
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6460a4b9-503b-4e28-995b-3fb77aed25fe.vbs"24⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e121ab4b-676e-4488-8a7a-29ca5b340ff1.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2c3b8d-57ee-4c40-aba2-76a5a0176cb1.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e8d45a2-d7e8-4dd4-bd19-29ef1bcc1aaf.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d059ff32-b2fc-4b80-a8db-fa0a396f4c08.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10cacfb7-52fe-41a3-9b5f-a82a74ab07e4.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32fe3a47-fb9a-475d-a18b-9d1942d9e3bc.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e0e19e1-8055-44e1-aeb2-6b0c7a8817d0.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0943be2-4b54-4c73-99c1-c7f82ffac34d.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f9e6d29-fa20-482f-9f66-3583d433b2e6.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb38a2a8-8f17-4c37-8982-29f49c76d046.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c85d7574-645f-411e-aa11-9ec7388491d3.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5181d043c0617914801548f09d5b776d4
SHA1757f042065a3dc2c9f73e635b41f83591c8ad647
SHA256501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
SHA512c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
-
Filesize
737B
MD508f878eff2b401fe1eb5304521b13792
SHA12daa8fda118c025e99d1396e29192d9d5fcb4fe0
SHA256fc769da49c9e29b7a8e39932bad5fc9f9c37200b8ad23322455077bb651ab246
SHA512ef6c576052d4dcc6dbeb0fdf6de1dfea1baca693562dcac7f9488f4374014f9b0e0966abd48fb345b182791d9474dc7e1fd7c20742577477b6e6f0a180d5309d
-
Filesize
737B
MD5deb09cfb2578f0e8fb24d55299939a5d
SHA1ef8399f9e3bbb64a5debffa3df8c002e83e6daa7
SHA2569b7afbf1ade8405a06ece64459cd0989f9f9c5535330c74204ee28fed06a5592
SHA5128c43aa39fcbb139626972d9484495da3d5918e2d4aa363194c4eb4a8995755d27556fbd37e57619497ad34520d98c219f8d8a6e99314829bf4b48348625cdc63
-
Filesize
737B
MD525d484e9c7a9a72ec4a0619db23b70ac
SHA16bf0d98ef60bae1478c16fc02d4c599fecddc786
SHA25609bcde2e4954a0b899126547cfe891fb31b0222a41d8ea1aca41b61f4d1984aa
SHA512378f96361672316ea5e009d2e12bd7dfa526dd2006eead01e941913e6e65dd7efce5e066c25cb9986cd7782bbab8af1de3628bd4ed7a2676ae2dfa87760a0ed2
-
Filesize
737B
MD52a2b7a5d47f5a39e346daac41c62d2f0
SHA1b4561efb42ee5141f070317dd6e69f4bb814eced
SHA25661d66731b32413eb82986ab76e2a903517db10ba145b0d616c8dc947134f248e
SHA51258253d67c594be42dd3104a5a12ada70b3cdd15873b8304d804fa15518e327feaa365b66abd1974e95cf98dc062bf0baa1f74bd19a1e16d749be609bfdcb947c
-
Filesize
737B
MD59c08a189ba698005d59b345832d45df4
SHA1a05256f09630bc554e5cb2437c6e92fa327359f9
SHA25684b5540bf11489e38c9e8e686a48d4b27d733617630818915bf0afeb16e53e54
SHA512470120bb253726e93080ee454ab110765836857348285fda39183cf6b0a5ba74613112688cf70c4c4e5fcfbe287dd7178734a2bedbeb0df6013b3cfa4f0cea80
-
Filesize
737B
MD58655b679bd7123a047c623d48e495ed6
SHA1a6eafa7b1dbd5e17ec8542f008b6b82897245800
SHA256b8bbe3d3e5b90adcf6cd499b0ece93a995311f67f589700113f5a55868879fb4
SHA5124fe546d303b4b8d910e185dd5c6e73fcf4fe9f5b90dad912a59dff51221787d0f58aeebe44d6d4210897ccceee2f05a80b9845ec17a0a6feae66ea0b7d3e9a4e
-
Filesize
737B
MD50f6a8f74d30d2919c6ba9774d013cfc9
SHA17d42f711875f4b7d534a273a0eed802c5cfd1489
SHA256f7bbda85384002d81024f5558915db6cf6c9eeff5943c1fde1b7a976a97568b9
SHA5128a2b5286c0c07f0980733d9603ef32506b1d8deb49678b8ddf7647688a49e84786a526afd42a6cec8c5ae1eaef0e6b5c3d39b11a02c2d611aa21304e5001b1bc
-
Filesize
737B
MD509e1bd4d8c092b49ca18e5ff4f5158a1
SHA10f19d9473fedf68e749d22d802bcf356d15437f3
SHA2561e6d07f6a783ba6e05643bc3e34f1667b6ac740cc09df77a0606963a58eb83b4
SHA512ec3151d456a09de0a8dfe73a592fc43249a7182d2fef6b3656854f80d05ff1ea8862ff352f4b747fa21928a068a26fd72343d6d78812a92b922b3def4f5950e0
-
Filesize
737B
MD5363f454b5fecc12be19b9d35e24efd69
SHA16a2eba5a06caa1c0d42afff76163b65a206f7a56
SHA2560dfcf3b746623c1a04b274dcdff5ec070ccf07a2bef65051561e35de812eb9d3
SHA512345ed01663946b84b51375b1a9c695acc80a9fbfda2dee8d97298fe7f09ac3598d5a0943c5f46c77db3b511cd830385dababb31664a2ba5365627d870f831728
-
Filesize
737B
MD5976e2b536c01012510ba63cfd962b06b
SHA171a9599cb4342550319397623273eaf94f64f431
SHA25676280576f8e577a7a87609fb3555e8a1e68862a0c70d40e17a56a1a3685db87d
SHA512a5cf5f6a886e403c23bbfce0f65fe570343fd84bcdeed92fea640aeae05d609d241adc159b2f4ce19e5f77300b38911ade3f918b28018a4ceabcfa977405cb4b
-
Filesize
737B
MD5efd3d1c40832eaf14e0b0f29bb8ebdc5
SHA16e381047d2f149d0829c61f2342545217f9fab2d
SHA25626e77bedac8dd4a7e0cfed150f8047cfb1bbb2755ad938650fc8d6b1fa075a1c
SHA512ed34e22429aea1ba2591cea2483fd0fc38ed45e8e26b46262fee500b9a72320e0a0e0583cce8872c991a41365c8e9e1f8082b6ba8093f86501d6178890a08bd7
-
Filesize
513B
MD555a39434bd65fecb70779341ccd295e1
SHA19bfacd2df7f5cfc88263d12ace25c774e578e34a
SHA2569cb84daeec9d55ae206db320ace93da4472ced84cef0d1642167a49a281c7ea9
SHA512e49e926c829e1a25ccd41002169b74f0eaaabd3210b7808204a5dd84ce6df3cfc3d04cce6639d914126553e5f253de59bbcd70a24212de38315865865703b70a
-
Filesize
226B
MD54d1d0ef689377ba1b0f79234ebc58e21
SHA10a19933f4996a6ce851bd0678c19b92d5bbbb009
SHA25655cefc489ddbe94fd2fbe7fa5c5bd6b9eeec7fd765c19f35c5e06ffd3aa08851
SHA512fddae10e7f3ffd5622b7d86443be89b42f946e327b90f2b9dad9e9b2821eb656a56574a389dc9f4338ba1d42f4259921423d5446031b7e3598bc39b324df30a7
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB