Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 11:05
General
-
Target
d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe
-
Size
1.4MB
-
MD5
b8324173f87ae8a5c69a1e3f7ce33e1a
-
SHA1
882bec5816d33f1d1c58be5244e3c2dfbf62b184
-
SHA256
d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073
-
SHA512
dccd1c3d1f6bc33011e377bdd1fda0bca5116326de8b5b219d977e7d9c16ad214eaf717eabf2730bdacb3c68dce5aedeb5f459af58b27765bdab95549b7b9a14
-
SSDEEP
24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LUy:gRdGcHkBxNYARdzAcqGv+cphlJzxVV
Score
10/10
Malware Config
Signatures
-
DcRat 55 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 34 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe"C:\Users\Admin\AppData\Local\Temp\d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GspXHkBp0S.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1becae17-b139-4a9e-9ca1-3f80e111a962.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ce645d9-c689-4db7-850e-ac17aee7d5b0.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c1fa256-b9fa-4d41-aaf7-09124ac6a41c.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deac9ebf-0ed5-4cb6-9345-1dd9be86db71.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833131dd-3317-4ee5-b661-e256843b9b07.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93a1bff4-a02a-4b14-a949-c0e98d1e0fd6.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed5c6b01-989f-4248-a08d-33945b93fff1.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6148fbe1-6a0c-4054-a296-10efae65c239.vbs"18⤵
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5da01736-301c-4b8e-b4ab-c9a178a4eba0.vbs"20⤵
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3feb4c-84e6-41f7-a17a-a1447717a302.vbs"22⤵
-
C:\Program Files\Common Files\spoolsv.exe"C:\Program Files\Common Files\spoolsv.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d08dd6-e359-43ab-88d4-c62eab8d9f0b.vbs"24⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b7db4c-2e35-46ff-8630-b11dc3005d8f.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238b6c51-c1f8-4000-b8bb-cb730f99cf4d.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56598047-1d51-404e-ba37-9032124816fc.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\076805f9-f012-4f16-83ec-0820b94aa512.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66635f4e-107e-4873-babd-cc8f2f38c7c6.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7243497-da3c-4350-8eec-a5d583db187d.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576b4d4d-af11-42af-be6e-985384fb9edb.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156079e7-06b6-4e23-986a-0f50ad18a257.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15748abf-6fda-4fb8-b732-7efaf1aff5a6.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d8d17e7-9c03-4084-9c9c-cbe690f91163.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fc18282-617a-4248-9af7-e8797ffbce5f.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073d" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073d" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b8324173f87ae8a5c69a1e3f7ce33e1a
SHA1882bec5816d33f1d1c58be5244e3c2dfbf62b184
SHA256d631d97e01717786e4b9e3bbafa89e90ce56d917a29697c8a7ed1cabd4d42073
SHA512dccd1c3d1f6bc33011e377bdd1fda0bca5116326de8b5b219d977e7d9c16ad214eaf717eabf2730bdacb3c68dce5aedeb5f459af58b27765bdab95549b7b9a14
-
Filesize
717B
MD5b4960cf576da18e61a6652e135b84339
SHA10227075a990bf17c0de56cb0351ac8d7fb12cb47
SHA256400633388baab6767a6ad4ce461b8df2537f30b2fd8312edd23e6e14dad3455b
SHA5122d1e4ecbf416519487e260fe4333c4b268383b5d709a5f772d40f3e163d3399f7cd1bce5f5898d4a761e93c8344bb470a724400210b7891a6e66e60070e72eac
-
Filesize
717B
MD582da6d67ad167d280ce1c9c81b1fd120
SHA14b2bc6c0bd41590fa29527b717384f4d689b5591
SHA256353b50939a8c79601491ed270d73f71c8b61828b2e34b796a3f350c9ed1da999
SHA512e288d7e63550f0987ef20ea6351862e5094a360afd33e3c10ef4f8a2f00872bf9c763227b6d2b6f0c525717335e0a4c46de11194aa0adaaa61c3724428f2719b
-
Filesize
493B
MD56f969f054559fada3d0dfcafe3aa532f
SHA1d5d58d53b2a572843548c440b6be6ea9a68b4250
SHA25664490c17d9bbada6485bb9106b5f811891f86663f83a5a4a7fa887ed667589d7
SHA512918236d5f5c9be26030a99ffd919d01f79d9783eb6a4a12c6edee7d90bc61749bd2cc4d22217f829eaa2d8d7dcbcae0581e80dac9867c24a2df4b70818020618
-
Filesize
717B
MD57e7846542722894d7509966162c6460c
SHA17f500bfdad705a136c166f054cf40c57e0d166df
SHA2562f6f48f98b2e457a94422738e955eb68237887851d0dadc428d07c2d9cf02657
SHA51293f02ab548620e64ca372d674eebae3504420f1cf083e8b79d67e0468b954ff88396d9a4c7d2cb4bd1f271d841a039592f29f32e24015b5f2a6115bad36d5cb8
-
Filesize
717B
MD52fbc9b84a3dfda3bb2a6ca7d7a84d4b5
SHA1772a57cf6ba2dba9d8412b349e9d7b5f8331b6c1
SHA2565a0e2717d4e2917fc9b4cd27a6eda18d5ba7f4f2ca770e1af90bd4de7d4126ca
SHA512a49bc64a49f71d55f4fa577a1b69daf666caa07c1ec8df43704d9d1e7d187f46f98bdd0ab19b8ed2566bb3c43f229238395af660d38cb459a616c4e54a7593ac
-
Filesize
717B
MD5e89ce9a21ec39c25359fb50c4fa2a11a
SHA19a138d90a75c6c08017a32dff1ffa82abef62935
SHA25626e9c4d2942b544dfe7771700dd8fc7841afa74899c783d5ef5ad7f17834e4c2
SHA512dc0d54e9c56e140f0390e044edbea97638a0f38baac6f5e51bdf470c2a89025a20113c04232ba14e8a228e167bfd313c455f94eb10644e1d18ca70be1a469a1d
-
Filesize
717B
MD5439819e89e518599d9103ddb5ffa11d5
SHA1e06e8e4e4f43d33e37583f4d4e61efe9b468dbfa
SHA256f2a583f0b2ebe754f20d838be04d3b1f239deb4f50a652dc6c30ff33c25abfd1
SHA512d30ae5e2fdc979d1808fa278c3f7a06efebc182026872c7fd20dcedffcd2a6f089f3c2d52237aefa3026dd3bdfc59fb9a8531e71d780ac416318805ff1328e05
-
Filesize
717B
MD546da879f94ea1feadd4b904f72ba9499
SHA12f0d7a24b293ed51770aec59477efe418792eddf
SHA256ae043500fa12e6e3c915f8e2b153bc1607dcd3fe6926c309c322508c01181b83
SHA512081661c45784aa98e6a4f287daa9804c0c1c28144a4d4be508aa203964bacdf2bf1471a0a06ae45c78345403ec787d6b92bf3d7d516af093e066a9076a8089d8
-
Filesize
206B
MD5858df111a93950914d827b3092cd2f7b
SHA1a456e774ae69b0caf09dfa3023356d78c178eb39
SHA2567c963967768c09cfabe9ad965a6c3133c461ddc5ba08b5dba486c14e2c064bd2
SHA51253b9746fcb8071973f847beb4e8056a499f6fd99c6ea43460cfa8c292622fb9d444c2a5931a4edfb2819d992f9208e5f715a283007d3d387abbb176ac37c9c78
-
Filesize
717B
MD5f01cebe3d3b2236c4753d939a470ce51
SHA125b861cf658795f7b41680b2ac57e019f0365758
SHA256fd8cc65a26458df8bf909f356ff289e99b90f05ccda9c323864b5e84795f8bfd
SHA5129a42a1a6bf2adb927ab694b0ca32be5427f9fc98c271dda04c951f3be9609c16974d200c6d5850d451ede34ab6d1dfd3dafb78bbf9bb022fb17822eb5cc62c87
-
Filesize
717B
MD568393ed11d8777384153bd212d8cb7ea
SHA1d5107c596f45a275186842aacdb9b2e710dfd155
SHA2565282ea4ef46e7697655afb264f85eeee90ff2b9cf3f502e828b07407495a8fc1
SHA51255d722183ae987282ffbff516ba928127092b58d6c44583c301fabb2c42317c4cdbb1cfdc3b19978b6d56a8fc3fc4f1f4532bfef26973e642e53fb99489419cf
-
Filesize
717B
MD568374fa44faa1ccff6099eb16c2448cc
SHA18dd8922c67caa8ea074d64c0f0f2e2d66d39b3c1
SHA2563267bab5c614d5fada41301557bd620fdaba2db604e53dd526d699837f90bfcc
SHA512e4b1175be4d5a1faf5b92d29cd96e9afe0a811457cfc1c40cbdb2ee6589493f234fac2abcfbfaede1c21eabe9b0a73602d635f35cc5233a006e4d518a4ffae97
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
1.4MB