Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 09:06
General
-
Target
646A50D060AE1B649F0CA735AABF5744.exe
-
Size
3.6MB
-
MD5
646a50d060ae1b649f0ca735aabf5744
-
SHA1
a666932e153ef1d2c2463009e0df4de9bdf73322
-
SHA256
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
-
SHA512
0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
-
SSDEEP
98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M
Malware Config
Signatures
-
DcRat 44 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 28 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\646A50D060AE1B649F0CA735AABF5744.exe"C:\Users\Admin\AppData\Local\Temp\646A50D060AE1B649F0CA735AABF5744.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontMonitor\B6f2SnQ47.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KubgcPF4Z1.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc5aa83-e201-4a25-a2f2-2a7b5aa06266.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b9bf52-bea4-4302-a995-c9995d53ea07.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8ca406f-b218-4048-b413-15e84591e62a.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c943bb6-7ed1-448f-869f-5505eea45009.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e3ad4f8-b924-4fcb-8e3e-b71bb9016d60.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3498440-025c-4dc6-9434-15bddc43a88f.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f04c40f-008f-4b3c-96b5-4f4c0489176f.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86298cc9-38bb-4c03-b405-0a41b091bc61.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a0014d0-0f8f-491a-af49-bda1d9629360.vbs"23⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9cbdcd4-61dc-4869-81c2-8913b74d3d74.vbs"25⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\768c799c-435f-41f5-9f90-d1221e222b60.vbs"27⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98281b1c-1ee3-4fd7-8bb2-22eb34097ab7.vbs"29⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85d6a6ac-9c06-4144-9941-97158d1f4cea.vbs"31⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\021623b5-b490-4b38-9cad-50df7a21965d.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1107bf13-a75a-4d77-b2b3-32d68c5adf2a.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b9eb0a1-424d-4718-9446-4ef79ffa6bef.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b5e990-74f1-4118-963b-bf0d9d8d9ad8.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35fb35a2-3269-49fc-bf39-c92145ce42f9.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aabddb4-c79e-47c2-9ad1-9d359d548e1b.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd3bde9-8ef3-4866-bbe6-2de6e145ebe7.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e675e08-83fb-4a4c-949b-3d3428788974.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e360a9d2-009f-4d1d-8024-d563e9f92a9a.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f27be54c-3e17-4412-b8fa-0dfe89c222da.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e42fd2-e89e-4058-8d73-f3ac1aee6c2c.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a60ad70e-8edf-46b7-8908-1be1a57cb796.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68664b3b-1289-45d1-964e-cccef863b8f8.vbs"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\fontMonitor\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\fontMonitor\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\fontMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\fontMonitor\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\fontMonitor\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\fontMonitor\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\fontMonitor\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
709B
MD5dcf96b7cc7733b5948f5c0c7d2a5f70c
SHA1bedc4b17b4e5ba463ba4ac0a632e03a98faae08d
SHA256fdc9430f5efe2b4d4aab030b80c1f294c072f1961c3357d326d1da0e6ee4bc73
SHA512a353330f98516f28c3e6f9e7af6914c8f7525022905ef65a8fec0e6cbe29901cf6ea6e6f89c95f0c696ebad1315f858b594ed2700a2bdff77b642593339f99e9
-
Filesize
709B
MD5d55bb408628f7027dcf94552fbfb8ce9
SHA18ea68b2855cede587eb04d22b7925213e77648d4
SHA256065b408bdc2bce55d68562d0035da86af50ac0eacf2f0f8152fa3c0bdaa85a22
SHA5122c4e7a33d8b23d194eb71f3bd6b4bc4663c90db26b063d6ad2eabd5f20d3a51f40b46e48e03d678d145d0777f1c201e84c942eaf7742aec424f37f3ea2b1b429
-
Filesize
485B
MD5300365ce15245f82f0eab9219b0b4c39
SHA14d629fe7bec6082e784323b617cff6ed870da003
SHA256401ff064bb45bf15681c51063753d3ce34f544b2d3fc14a3be52a7b2696bffe2
SHA51265d7dc08796f7b8be18f19a9d5d485bce4af6d5c86aaa0d84ced21d0047963355ac6296f82bb43319194934d7fb4758a68055f02a540ea3842f65538ef58ab3b
-
Filesize
709B
MD50556901142138d23970cffc8d0da3a0f
SHA128c86739aae9cb9adcc18140de237c5ab15edb79
SHA256ce122b4869db6796f4b3cf5617a00554eb033a1b4195370093ed7b5545812d75
SHA512746e9c1ac686a5c45c9acaea5c62829803ddb97b898462718e6404b1f1ee5f7729cc19bad5f841f95b7b420573230cf6635c15072640ed4691bb4e98b2ac267a
-
Filesize
709B
MD5bd427397b755c9be7cc3200f2ed3a0e3
SHA1ae38255df67b2759c3e39225713ed2387ea171a3
SHA25659e3cf3a6721a7372b649da30385bad5bb7d89cf0c9196a76a3ebb1706eca1cb
SHA512b380f8cfe8b3677acd35098c008dad59455ac4de6cfb818f7216b6737ab8592f886a4728de27376984d80213272eaad3cbc0e20a6ef4445541ae5cfdd99ca366
-
Filesize
709B
MD5731b7060f22ba1770690894e3beea926
SHA1126bb46fddee512159f0dfe78cc7cf8d2708afa1
SHA2564dec398f5b202120b9ee500ffdfac63667209d92292ca6a3f943e7fe734df007
SHA512c0e8887b9c2ba6ed2c982c2f17ffdca02a757ff81d1bb1ec077ae5b0d1fb26805836851d021e1f20f5f089639144f9864e30d29c41f6ddfffdf7dc7122b64f03
-
Filesize
708B
MD59a2a690410003acbbd87fd9fd7e822cb
SHA1de7c96affb160e8b6eb1b6e20ba6a8c28d69b630
SHA2562fbf58dd785db5280296eca95e389746fb7f6b523b209f59e2d1729497e3da95
SHA51275a8d2aa387974a50ca7fe0eb35281e3dd5a1b9701bd850efc72fa91fda5fe998aabeb983a8ce4a510617187b4aac878dd5d3a3bf61b06ebf0ec9610da53f422
-
Filesize
709B
MD510f1c1efae20bd62c4255104436fb1d5
SHA1708ed48712d66edda7925b08a0467ff8df8494e3
SHA256b55a5fc89837b93ab873ee4872405f3e5a04fe9bc4a68a9c739640d664d75024
SHA512b6b4be4308bf44bf9f399fe2e58e13bebc9860871b2a246377fbd2cd273ef254bc6f31c8aafe918e6ad26b2bbfa34b1581747db7da375739c90c80585c4e1850
-
Filesize
708B
MD5588fe076d0c3940b33cd7089f962d0b8
SHA12a65a3837383565ed4daa74e544c32a4e49e6e61
SHA25686fb99c949a8347ba443acb53b7b2f6105081739a26ac8a7801b21353600fbc7
SHA51210f1f8ea7b34d9689c7bc65448192d19c088498b9064e6a2ef70edb73a3b0c4f5cf4010f9d543dd9c823bf1bb3621642b32441f2aa837f9e7b872283b5eaeb69
-
Filesize
709B
MD5306bbe655316b577736d3cba4c2ce9d1
SHA1102c95aa2e7236368cc472c3a614b8fac59361d9
SHA25681f05b43840a1303a4c17f0b29914425876fcc640f08242b27e58cc69f913120
SHA5120eb53511bdd1aea77749fbec5c482de17fab4c077414db855a117b41d74fc64e1c22028edc7565c8a2ae86c3740fcd5df1152d7659c504b6a47d188d3586eebe
-
Filesize
198B
MD5f724a337957ab3e641b5884ec162d21c
SHA13eb378742983f2e9c57286ac14926a1fa2a71882
SHA2567f4bf15802c8407831cfa7f89f745d9b43db563c3ff9d26d30bd4c48a1d6a92e
SHA512ef2bcce40525915240dc5bba12814df0ae3d2f5a4025ffee7991c91a98c7394204487c0a66507daecf372f81ee3142a9cba9c1f9b3fdf2fcd9b1391bd7c86965
-
Filesize
709B
MD53e581654b4ba7d826f5f6d5420b0c069
SHA112fad63020ec41673c9df409812d215be29b9587
SHA2563a8a4a50facff1707d14bb21f36cdc3b7d0da6999e9ee4e0500364acc7c48ca2
SHA51284b77fc1499667fd995b3a039fb1ef5023b9b543c56dbee00ef60216471e133d4b862a954baf191b12a8581bd0807a906809e93494babcf6c257408b2dce6452
-
Filesize
709B
MD5aa3644a10ec1f845ed0c66e69b9d5a62
SHA1d0f34032daa1bcf481c2b322d846331aaeb7768d
SHA256c86b6148c800e896ed0d255d2478f904220c6ce05743d7e201c4240d8497e48d
SHA5124787d6ee8fd8959a493bbdbf6796cbd33d5bb5440a98d9daa28332861cd2766305e302c790c2d5fc2db36c70ba2e6f50d1e5608bee3779ba5c5f7b6b751a7e53
-
Filesize
709B
MD5649e101f0f52de62ee83e9de4abf29d6
SHA1c019f7483055e4de03e2d55cfe848113365ca4fd
SHA2563c355c17bd17415050ee585f9239297d20ece820abcf942c5b67de2ef73c4d29
SHA512b3e49297463739bfba22354e1b0f62e3bdebb86e2a814ddddb6e695fa767486bb714a4941290cfc048acb6f366cafd69a189146ee36d6185c862a45c0ad94ea3
-
Filesize
31B
MD5d919292d76ba6af3f0a7c88b2d07c4fa
SHA10fa76a1456603b525f53d9e787d1a800172afdf8
SHA25652bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c
SHA5123a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5
-
Filesize
197B
MD5692908a9fe7461b9736233b4b217f221
SHA1b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d
SHA256d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f
SHA512f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788
-
Filesize
3.3MB
MD5e74be6bbac3ea0713506397d5d6ef541
SHA1dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9
SHA25658440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7
SHA51209f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
3.4MB
-
Filesize
72KB