Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-11-2024 16:54
General
-
Target
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
-
Size
3.6MB
-
MD5
646a50d060ae1b649f0ca735aabf5744
-
SHA1
a666932e153ef1d2c2463009e0df4de9bdf73322
-
SHA256
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
-
SHA512
0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
-
SSDEEP
98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M
Malware Config
Signatures
-
DcRat 58 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 38 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontMonitor\B6f2SnQ47.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hN7lqUtaMK.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41b83793-e2ad-41a5-b47d-8feff72ce335.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ab88bf-3e5c-4e3c-ac4e-0c190f655a3e.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2ebf27d-5255-48a3-ad2d-b04b33a0bfb6.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3feaf566-e357-4373-a1f4-ceded6941c55.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8488d8-faf6-46f7-a96d-f53a1f0321a3.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3795f7a-b10a-44d2-8885-e0ff6e0f8222.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21508530-6010-4b1c-9ea3-91777b837c6b.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922471fe-b2e1-4a93-8568-bee17d50e264.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43c651b8-d140-4465-9e2e-f3b49ff86023.vbs"23⤵
-
C:\Program Files\Windows Multimedia Platform\Idle.exe"C:\Program Files\Windows Multimedia Platform\Idle.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c651c68-7154-4278-bc16-c1aa362a98d4.vbs"25⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6183a588-e4f5-4211-9e21-30aa515427ee.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f342d70-931c-48f2-a363-c0dc0dcd314e.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\018096db-c518-44d7-aed0-f210f62f0720.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c18ca0-beae-469b-bc3d-ad3f37d53960.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1783b19-f2c6-49a6-9938-cadb0e207846.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ec0d2b-6054-4440-bd70-a0268217ff1f.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac149429-b2c4-456f-abc3-08cc9c7582d8.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b52f775-692d-499a-b698-f323bde9ae94.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecdfab58-a235-48d7-a968-9b7bbd45dd00.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b11b54f-24f1-4282-82fc-353f362403ec.vbs"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\fontMonitor\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\fontMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\Help\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Help\Help\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\fontMonitor\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\fontMonitor\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\fontMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\fontMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\fontMonitor\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\fontMonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\fontMonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\ssh\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\fontMonitor\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\fontMonitor\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\fontMonitor\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
729B
MD51181c95c7fe85c36be1b414ad8b5f2e6
SHA1c7e382f146c924828cbf125f661552f20004da3a
SHA256f5d75301db02cb01daf3a962397c115c4b0a1626c44deeaa46a720b56e74bd1f
SHA512a8c50372967bf9d90de7bb07f20f56d25803995dc3d703cf484d4f015d58e0957becc1e809203bf1ec0ab088fe4a14bc959d286bd5f76f07739bd3254a9f01f5
-
Filesize
729B
MD5d22e711509c9a8788269a7fd3fd1a885
SHA14eaa93ffed43331a6c23189ac099390992b2c0c0
SHA256ecd4c8308ce01959131ae39ca1bc15d32b4fe2a31a6be1fd7c6e8617505ebc9f
SHA512df2302ecfad748ea2b038aa7cadae4dbf2b6cf27f6584c958bd8be5c8cf56102ff47a684a3f802e38a718b8b373c45c1cb2bc3b3ffcdd7599d19d7b99fe70dce
-
Filesize
3.3MB
MD5ffc7c91046f1c36b96f73d00bfce7e44
SHA1887b1f0d9b2b942bd3c21c38707ff3461633f7a1
SHA2565ea7184d19e1593abd67a4d8ce0aa6f7c89e59f2dbec3eac20337296faa92e9a
SHA5129bc882610c641eb92c78daeac1543cae5c55cade27c8abb7320a878ed40a407312ce171fbcc1dcdaba7644a989ce27c58f959be82cdfebe4f388ddada1b6b4de
-
Filesize
729B
MD5a9e5f547555a995e43bf7acd83202e61
SHA1ce24f1bde04d7138b611cc38254e05368a5f6dd0
SHA25648601e35c3d0818d489da8dc7c87b2bfa4c4e70d9c9589f47685684e968d1069
SHA51264ce25b05d10626ab9f0e2afc57bf0205a9a65a3a76e39ccd3e08c4e44e1380874e6e3c6ee21f2edf807ce1410569c72eb5f84920f2ed748ef927046e3966b79
-
Filesize
729B
MD5285215e59487b14e22a8406eba5e5e6c
SHA13063d592130ce863c2497fb06ce227bbb88daa1e
SHA25666891b6a6811d69c82577e2dacf75dde5b6bdb0715e5eac0f5c9393206eb5e33
SHA512832eb437adf340a2f6620fe78dd98bc39e5868dd4bd393d50e6e6c42536251f99b47abd1c89e47944c302fa31b327c07b411474a38add28a8d5444e762953b04
-
Filesize
729B
MD5d91859b5e30ff41dc1d90dc2988c3c25
SHA1e20b0a8bc04d292085b32249b0bff135e428faa5
SHA25645312d8a4ae52a4636c1e861cadfae1799cf9269da1314f7631be5ea334d1c7a
SHA512b605d16d6ff8bc38981e4da2c09d0c87f6e6213eaa8c2ecb6cc0559cc7283ace535c272bad5ccccc69a7139ee2aa7c0b7bb4d950653e9d398f75b7bec8732484
-
Filesize
505B
MD51932cb4abd3130b26bc7d2f83472d3e6
SHA1f1ca36ceb66cb71583d1f5be7c0141d656b94df9
SHA25646bc53e59dca154d74e61282fb8f8bc41855ada0c705f1ca6bea39e0425e1159
SHA5124807b9e2db3335364d8f589fb716d604b7ec4c8a36173d4bd57a0c65ce209b2bd1eafe4644ff6963c9fcec3e58842c42ccafdfa149b7dea412d2f25d2a3c4451
-
Filesize
729B
MD555a670ce61a6a7c086289d592f8beda7
SHA172c5f18cf23230370eb13db0981ae81472fc3e1c
SHA256071d60cbdde9bf54e59f4a5e0a989251da7f0fd0e12024433504f8fc62434260
SHA512770a18226a77b50cabf57a4e3595947dbc3db52132ded50f5e75012c400a236fbdceace91a58b7412fde4a1285b791ab1850da616b3261deedd74acb5a995ec6
-
Filesize
729B
MD55e8e874cffdbb3d0c798cf377ac03120
SHA1f1297689f1c550fd972f6d8903e33c20f4b1641d
SHA2563ea65b8e53fdb452b262c33501b070e45b2662e7f3e582ef33cd97a6ea75f278
SHA5122e225b990d059e1837ff5710d8bd91ade7a5c21b90cb38219381b9c6e5022105d6f67ece3376919d0d451b8da06b9d66deb9691f6c2e22aac5cd360c36d02a2c
-
Filesize
729B
MD59f7f8830475e57050c6b03513929cc95
SHA1b602e3ebac72d80f17cd416f198828fec1640453
SHA25635f0f5a6a2bce9892e25a38219992c6db9393a576ce64e6618a39398eb170cb5
SHA512d69c5d8fac5ecbf35f411d0c1d52f5ce3c71746302831b4b1e43d812445753aa2847a965ae9d3e1227689bb2894bbc10b06d8ef08c135da9ec9423b0e732e10a
-
Filesize
729B
MD5ddd1c9776c2199c2b9fb3950de9f3c01
SHA17004cc4b9e5450557d9cdef5e7dab34f1b743dcc
SHA256b6557377059b349acdc7bec2d99b05f9c54658bb8bba2152de7f57faa941e8dd
SHA51214caf2290ff49e06319246cfe112477520444474a17b4399b43293240e516f148801eeea7663b54754fdf01ae376495760dbd08eba2656903d04f2f8d1790394
-
Filesize
729B
MD5d3bcaa0adcf46b4bbb00483e3960b11e
SHA1f3b32c7f7617d2e239ec3f3637efb4b5c018fa64
SHA256985b6cac46813f419cbc6213977230066289d053f3a3a295f99b49e8d424ae56
SHA51211e352966cfbf2830cc95db0f0addf24a780cbd4352f0de7d51ecd8f36fca7fab07e4b593656ae23531700fe75d1390c55a4e30353c99842568bc64f1c0f3bef
-
Filesize
218B
MD5988d3eb27217c8ece56ffba4fac08028
SHA1e8de626c98a8ebb2b60cd9a9c3941454a3a731b1
SHA2567fb43f99ca3a61f0c0117c37de778854af20a6aaf055a4c588bcc70192c923e1
SHA512cccda8d8561254e7a03e8315d2509fe26f46177be0be619b83539feea645e3a97663685124758c3d00bc8d80582b9a89d36f2656ada6dcd5eb924a73087f5e75
-
Filesize
31B
MD5d919292d76ba6af3f0a7c88b2d07c4fa
SHA10fa76a1456603b525f53d9e787d1a800172afdf8
SHA25652bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c
SHA5123a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5
-
Filesize
197B
MD5692908a9fe7461b9736233b4b217f221
SHA1b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d
SHA256d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f
SHA512f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788
-
Filesize
3.3MB
MD5e74be6bbac3ea0713506397d5d6ef541
SHA1dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9
SHA25658440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7
SHA51209f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
3.4MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB