Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-12-2024 12:41
General
-
Target
d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
-
Size
1.0MB
-
MD5
aea3d4caf079e299eea0b385a4dbbedd
-
SHA1
74b93127a847e2e2f2af6baa6b4ad6431c02ac63
-
SHA256
d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5
-
SHA512
8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9
-
SSDEEP
12288:sP2N7DeTXX5qeIeLsdxv/xedn6IwyMbfhC6hQs3uUbG6ddD7HFPMmXgAff+75LMF:sP28z7IeYxvJeKHdZH3OacV3d9CE4
Malware Config
Signatures
-
DcRat 53 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 34 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe"C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2142deb-4eed-483f-90f9-c8f0c7fdceea.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31df94fc-4652-4c9a-8ef7-b42574867734.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f8bbda4-e5eb-4293-a76c-cec24177cd98.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee42f3d6-026f-478f-aabb-0093404c42d9.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6a1b471-0d31-406e-a432-983965dc5436.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27c8a2c9-aff0-4a5e-ace5-6632a55fc76f.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c4980df-1dd0-429c-8881-924a1cc00b7f.vbs"15⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77a6bb11-9e60-43a4-866d-ab88262a48e6.vbs"17⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c56cfde7-48e0-4810-aa14-1dc85e13898a.vbs"19⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\521edc55-4b3c-4abb-9d45-238b8370e901.vbs"21⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d86daa1-bfbc-48c0-8c7c-36e485257879.vbs"23⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1794a8d2-f8f3-4e1e-aefe-6f2e8d721f8e.vbs"25⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27d6c1a2-5206-4cf2-875a-7fb34b0582da.vbs"27⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f08f1c2-c6c6-4a32-8951-798c44e2d003.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c65748cf-94eb-4846-9814-6c04ca64bd40.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edec1240-b2a9-430e-b4f1-80f996c491a5.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b5528d-fd9b-438d-92f1-be44354b416f.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b606f8-0d85-411f-93b7-2fb2ee2a2d7d.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d50fc67-bfbb-4935-93dc-1f7141b545d1.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\680b1928-1c70-4d13-8223-3e52389263cd.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a742440-fd77-4ec7-a803-be25d68e35f0.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\942a20a7-0205-4da2-a372-ba42cf811103.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c5a7f3-b30c-4b5a-b827-ee3f7ee0cfe0.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88c6461f-51b0-4cf5-ad7d-b038c1536a95.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\095de039-2e78-4a2f-8bc2-7bbace6f6ea8.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f956f2b7-a8cc-403a-89d6-81702b42b0ff.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Oracle\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\legal\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\legal\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\legal\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5" /sc ONLOGON /tr "'C:\Users\Default User\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5aea3d4caf079e299eea0b385a4dbbedd
SHA174b93127a847e2e2f2af6baa6b4ad6431c02ac63
SHA256d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5
SHA5128df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
750B
MD552d96bb586c98414ab3374282a74b212
SHA1e68cec60eeb5f39f504ee442f3d746b2f79ea380
SHA256134a470518d52b8b01e5fc209e9067e868d2cc7eec324caba668c0c7b07f4c7a
SHA5124b76f8a0f69a66e7c55e0aadb6bf9a2fd486641a094b4d6e26c9e821e8b64c2c1e6d0be2603b9a1411065b46051268b59c196dfe76001cc8b6ba0f0b3f9e0410
-
Filesize
750B
MD5407fa68818952027fcfd1ba309f274f5
SHA1d40e151f5c27f82aa3a85925f9be021cd4d9fffa
SHA25662e1744f38e514cacfb681e47261fd69ee0be9ceef19ec9d222883e6b511cfdf
SHA512f98a0ec173a87a4e0e524ca288027eac9d267d88c158ae9f44cf6a883d8bc8e4ff559cc3c6e84e3915344d7d8078eb89bdcbe607221034e58fe735579d41cd78
-
Filesize
750B
MD50768f68621cf43bf581213c70b76f6e6
SHA191a0261834dd8619f747ff597a49b8837706737a
SHA256c16d9d68a1b14fb5d7ccc74a24a17a05be5c08c497bb6a01cc2e30729c8249af
SHA51275dca817d9ed35ac11f2d906d0e912c5afa6b358ab1d0203de5eeaf190dc699d7f0e396f1f02e32f5f64ae2c7fe3be0e2566207d138f3d8e30ba4fd2ae0978b8
-
Filesize
750B
MD58d6c1c40986afcfb60b5993708a67085
SHA1cd35634a587c6ba6d3a6b8f7679e61e867b45d5a
SHA25631a25181d63c123efaf1dd71a8c277ebb8adbc925b5419e7a4b90712a9dc3ab5
SHA5125923ff59011c223010516eb48b4329d7f54281b68ec16ff2c8e887bd58f987a976747562529bbe8df0583daf8e172e0050385be018cdfc7d31415b4ccdf97470
-
Filesize
750B
MD5f0a13a0ee7d542fc850edb5b39a08594
SHA17032cad2120febf61935c7b0aa85e3e11eaa6046
SHA256fdd100cfc89da88e949e3a49ab13d61433ff507f5cbbcc0767f3dd094162c64d
SHA512635fb74ed76199da2fade02ce7fd544f18ad37198deebcb726004f3ffa10c5fed32406c93be15f054fa6270534dd1369422aedc0a544136bd1c99c49cacd87e3
-
Filesize
750B
MD5b814eed3a6af54cbf58bc7b86baeb20a
SHA1ffbf1189238122b2d3de6c9ed32f579903425266
SHA2568693c80b325b7c57aef21429add5e8bdbeb4e5f894e66c1200af76b5485c41be
SHA5125ce1e10ac4a37314ce8cd6a72cae5473bd8951b5550ef967f7a659149a18ad66adedd375b8db21d1933f9af130a21e0f50f969f49d60fb03cce9745f497e12be
-
Filesize
750B
MD573b6ddf71770a9bbd7731de98f7ebedb
SHA1b71aa39f68805d49f635a82524fa98389459c3ec
SHA25604cc36650285d3119190ea4cc55b1be2d7ff24c22fca5ac5b582816cbcd4faa1
SHA51299105146e0667f9970c1c08cd03e76d6d9dc8ace6ed681ce359f7e5f9be8f60a0ba6cf21bc23728fdb299d3b65cf174664f36b06003abd10c2c12247113f43e2
-
Filesize
750B
MD5579a0636a65248c97ddd864a8a0e1a57
SHA105c03d1e6c49a0d9a7ef971a7b36e5a3d64f00e3
SHA25642c01dddf3ca94ed78405b8de374a1bc49434fe8992ba85a1a112bde0508c739
SHA5120ed8207b178e82379a86380d442343152f8f64cf7e8c5d62052107f68147ef941ef9bd6274eea28e8ad997e231cc1e94f823383af102555a36bab953f5ff74cf
-
Filesize
750B
MD5d716c64f66376d0a17356ec2367507a9
SHA1de9947646b650d0024a71a70748ed05f87ce26b6
SHA2565f2d4b0c7a9e6f98971c7da9e6e14f19d0911dd63da5536bff93e1e0a7dc4b67
SHA5125ee8321f482f9af79781ed7b56b74deb807126a61f6007e810af0faf0df134bd800446f82e5c754e57f6bde44d9b41266f8f7fd923a9754330557b4362767f04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
750B
MD53dcf07ff57f841e50780da94d52f837e
SHA14a3faca2bbf33eaa16ff96fcb07ecbd24f884f21
SHA256bea585220acc851efcbfe461bd1bfa26f37d7a0aad0f9349611a5cee43667283
SHA512bd32e8886052b627b281a3cff7e3c52e8255aa5610ddb3e39a743306f82e108ed0eb979b0dea0592562127e77ffd73c75c87fc95045edbbbcb357cdba35c5e14
-
Filesize
749B
MD5569bc6a3309dfcd9e0c770ca0d867343
SHA1836acb8689baebb2747b51508f2529127df7a737
SHA256759ef11ded065ff0418f11d51980036457a033318aac6f19539b9a5ddeaa054d
SHA5124fb73a949fc6250442c9aa47e799700b7e3b8b74e9f4eec34aff99d78fbbac3671bc5e5d3fdf1c2ad948545a9c445142d5d44cda4e4b075fb9657ef15a06d152
-
Filesize
749B
MD5cc09bf04f7f687ad7a41118eb5b50efb
SHA1e8b2fba725be3144730b0de2e7faabd515c8b895
SHA25606529162cd9d627ba5ba907e48f40241d6259478ec4129dc0003670d9a834b89
SHA5129047fe2d9996375595cff2010c9a1cdec735aca189c5058832938c0fae377fe5769c992e910a7729285b68dd2f4f7490156284c304572a5cde1532298267aeac
-
Filesize
750B
MD5ed3ffcd1cfe3e93b3c6f833fd9ba1fa5
SHA12b5998da9eb7203024284f935ea564f0836b232f
SHA256b18cca730f1128e495cd501cd85db4f7ab4d85ee7333c0bf1a6bcc7efe0c04f7
SHA51279696cf80ea82d986278422248b8ccd0d17af74b4a01b5848c59642b3765befa206f0cab147806268a8f1b272ec3da97ee1dfe8966f26b989a1cafaddae1ebcb
-
Filesize
526B
MD53c885eaa9296b0594fc10a6046d5d014
SHA1ec7ddd095882a57249191d693666971c0ad758ac
SHA25682f5d98d5cd473280f1cd5ece4e9c8865cb2ad413cd1060250c980b2c8caf050
SHA5120d9e6d420ae4675ab4f59584dcf2acfc871d5d8ad39d6236cdd2fde5f1cd579ba582d412eaff1a91808a70cec375fe078548325494445719d984e5093dc69111
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
136KB