Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 11:05
General
-
Target
9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
-
Size
1.5MB
-
MD5
04c9152dc94eab52c92ddf3133f3ac7b
-
SHA1
59be48b0636b28831dc5436e0fb75c27d3384cd6
-
SHA256
9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1
-
SHA512
6a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560
-
SSDEEP
24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRo:EzhWhCXQFN+0IEuQgyiVKw
Malware Config
Signatures
-
DcRat 19 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
-
Process spawned unexpected child process 17 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 34 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ipnathlp\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\fontdrvhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PFRO\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xvwMTE0tUD.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\schedcli\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vrwl4cX8RT.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fdcf0be-b04a-4a16-87ab-4b5a03e25970.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d66bc950-26b3-480a-bbb1-74ae8578a9fd.vbs"9⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9745a7-4892-4e5f-906b-d8d4a825d770.vbs"11⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bb0a6f3-132f-465a-8084-4eac9dd734f2.vbs"13⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b9e680b-09b0-48dd-9a00-943d17ef2f3d.vbs"15⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b947e2e-f932-4482-9df4-3a40d40e0a7e.vbs"17⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6800a17a-5c49-429e-8432-d0dcfcf2a0ff.vbs"19⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b627290-354e-420c-bc37-fcc75c63df1d.vbs"21⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\102aeb7c-2b74-485c-86b7-83d9a00faf85.vbs"23⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9300e9d-651b-481a-97e6-c3dfb0fa9e82.vbs"25⤵
-
C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exeC:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec91afa0-8023-4411-9957-d6df96afc609.vbs"27⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef118e99-7d3e-4b87-9387-91082001c3d7.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1936122d-dbc0-4141-a37e-a6be73a86763.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b9b932-ada4-4528-8ee9-b3819179215c.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b741718-f097-4104-8ff1-57133a4694fc.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\281fad12-aa1f-46b2-9793-793c11c757f1.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24018df-d680-4c0e-a289-d4fc1150d866.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa74729-35a6-401c-9367-82766c21efcc.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d80fc75-e2eb-4af5-b185-88e1681907c4.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a580a22-53cd-4cba-894d-2aeca713ef67.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23467bcb-c576-40a5-902c-2af04581e793.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55311ef2-5405-4754-8e35-224f18b9c00e.vbs"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\ipnathlp\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PFRO\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\schedcli\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1" /sc ONLOGON /tr "'C:\PerfLogs\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Documents and Settings\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD52bb8c81bf09731cf1abcac9bfae597e5
SHA1e085cc74c185031f7de3e51a49f09c3375c0fec2
SHA256f673bff61c4f1c311f60106911505a9b40a1a79854b19cfbba0502528f886f58
SHA5127ec732c93d8756656cc5b5cddbdc92434c8e118032b4c1231f7080069449cbd6e8a00e1efdbfa69383de9a68410d0e8b5b1d27c433b21f322ab674cac0cfa4f7
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD526403455115fbc3da2573a37cc28744a
SHA16a9bf407036a8b9d36313462c0257f53b4ee9170
SHA256222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352
SHA512be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6
-
Filesize
944B
MD5cbc41bceec6e8cf6d23f68d952487858
SHA1f52edbceff042ded7209e8be90ec5e09086d62eb
SHA256b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d
SHA5120f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
944B
MD536c0eb4cc9fdffc5d2d368d7231ad514
SHA1ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA5124ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54
-
Filesize
944B
MD53c625954a51c4bbd8141206b00f6fc0a
SHA14128cb2f9d2984844e303e2e330e448334e5c273
SHA256952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4
SHA5123f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517
-
Filesize
944B
MD50a7dafd4af6ce4631e060c6f6896935e
SHA16d56bec43b43f2141b581c28d1928689b556df25
SHA256ca04a16d6f41b98c5df52fe878d44d913c7b4400497441e6d11a1b41d4298119
SHA5128159d4de8ff4f425b3ffbede9b420f749f0394183df823e39dba01e1d511b697ed4b60f84c46f7165c473610e1699882b4109af5c4ccfafa000c3846a08d3fac
-
Filesize
944B
MD50f6a77860cd9c5289dd6e45bbc36a982
SHA1750d55b0d394bc5716fc3e3204975b029d3dc43b
SHA256a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4
SHA512e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06
-
Filesize
756B
MD558ade8004f35d1a201621c6b96380cf3
SHA1fcff3f70acce95775eb1bd7344f61398968dbed5
SHA256404cf2745a7ac5a344b4647db010bad5272889639b2d6e369b6a5e41fef52beb
SHA5127378b10d03a675d6ab05808cf088783539c705f563070167b5187e80662cf9a3cbce6c154a6181e4320d5d37682d858e4c91542ca80e00e7b79fffe08a2e0cf9
-
Filesize
756B
MD555795da781a4ab405ba60d81e47a5db0
SHA1feb4a786e1112fe5198cd3bdeff6e8bcd51e426b
SHA25666e4c2b68c5cf91ca7e00ed8da309d41cf97dba329a29b9f90af81f92ef62ffa
SHA512bca19dfc9a59b508e80fbf6f7694e6974935c819ae7557df3e740ec33858df04bf26826511633e5778e00c0f9ccabfaf228027e3c0a4ca90ae9304dca1efcfc4
-
Filesize
756B
MD5c052b0b18c2f3241b8690d23a4442411
SHA189d7696aef939090f16038111fe5751de2bc8b5b
SHA256b9a9fd12be7b3262ec86c28675d991648c0f8b0b1ea15ecc17d519af1b01d8d8
SHA512d60bb717cda2fb17149946ca312c2af3879089e58388fa1752008c1c6fcbb7886d845e314c67f1a310fc3d6cbbb0983765692234b3fb249ce41130e3e0b91d61
-
Filesize
532B
MD5cd1534703975a7026467bc7129417426
SHA1b8926f4f51e755b3ff230dce3d4fcd16ff0c18b5
SHA25646661c374d188d9ce1db15726d1694e319d6678aa79320cdc6a36b4ce6887fb9
SHA512f7c711df4137e2215e5d12ccb15baf35e12a7486114ef06b9a68f6846b92e257cdd4d6b807e3c93c3fe759292ca3bd7b431ae372bbcdca8536ed93b528c5f961
-
Filesize
756B
MD585ee1898d2387b31bf799a9822143ec0
SHA1af4848000660352c183ed388687e4275188f6fa5
SHA256f7ff56ee0c8d5a831f4f7c5ff5e8ca1ebf03777460b00e36abba9d48c2550c7b
SHA512d3526ea56e36e9eeb2dcebab4ea348af660ce88d8a7d90752caa39a5d96673b7539b5fdb3316deaeb96a62a5d552fff4cc718c3d7056c7188b06ceabd1b56fd5
-
Filesize
756B
MD515d56a0bf49dc0f5223ec9aaa15bde43
SHA1a295e52326c13c0bb95da69a4a35000d6d7352dc
SHA25609705fc4a5b957417015208764c703d8badbe62a41966a798c2b3b4b1fec6022
SHA512e0b56c4fa2c58a48d04efda725785e1eb4f85bb9110b136c5b0aa56f08ad67b006e3a1207a504a5171eb612ba45509027ab9c71e5b48b459ce80a88cbaca39a9
-
Filesize
756B
MD57200987a2ae0024e49d2a42c8774841f
SHA1f68f4c94edde9d6d6a54e452dc85dfec777b1982
SHA256dbf143617fcc7f6a8e3d71b28309ac813387e9b8184533d03166651094bdd3f3
SHA5127a73466588dc8c19ed039bcacd9828440145f5a4eb9b96719f39bbf0d9f2e9a188a6c9f1ae164fbc436f45a3213f5383e6c11a5e7e9154682256e61b891f8cd9
-
Filesize
756B
MD5ddd5d81c08348c84fbf843062130d730
SHA1c819cd5e53b1d8a799811c966328e232e71d4217
SHA2565144f6385bddd1809c29b2e9fa4b62ffcdd117378d5ec8277263fcccdcf0d2e7
SHA51235f038c68d301f25a9e3a6eda4366ac6da280573f70372c67675861e737a1b163b2b5d29aeae7a497a3f53e13b2d501aec9075e8e7b87c91ec092944fc73606c
-
Filesize
244B
MD5ce7bc1e2f0048a2d4d7d05bffe410aab
SHA1da4484f3cfc138e7772f6fbfe9864ce255608545
SHA256a3b1dfcc86048d405159ceb614f5b844633bc4f3d12257f4287445e04da4a5a1
SHA512148815438f7b0f5c8aefe510aee1cfa6b893e292b32a9b381f5fa7ce29ab2ad04e759fc69f869059448ebab1aaa0036cc90b7a13a94d90dc6366e0354c30edf5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
755B
MD5006bedf48f6764ebc8d714ca5abc00cb
SHA1c4ed9cf341b62c4d9e75a819df3164efc8e9f2cc
SHA256b48180b829458c89168301bc8c3f3aa5c594f98cc65c9e3db3c7fe1940ff6453
SHA51262e63b3a35da1873dd22020f9eee1f33e59e1728fe17c1f37a7508bb8acc7910776e783fb06eed10b6712a31198b1fc163e0ac839098548cbfd3ef65ef9e5120
-
Filesize
756B
MD5076b4a595296fe5504dddf2c026e38d4
SHA126e4deb201ebb6d17b740756224e90369f04cbd3
SHA2568ebd053cb2eb2afb3df0c80d1ea26301398dcbdee12090db14b00c5aa1287538
SHA51244bfd5676146aa17331bfd7be94e30cc436150c1886d22d288bb12ce559a62902573b9768759b3a4f5d3442ec915009e9884a8e39cc7215f4622f5a7ba242859
-
Filesize
444B
MD554a84ed8f8a717c5b8c80ea50c49a947
SHA1238edcd3ba9c0a14aa4d16e09254d1e2746bd373
SHA256ff1bb0a9814616566068401ef97f37c33b1dfa2f8dc3ea6f57b9fabb5eda58e0
SHA51287586bdf8b653247663caba679d2f0ddf34b1d379eff4395b1ea334286f69c2a3d287dd2dc815da714a1df7a856f71f48f6feff6541303a19b805e75a83b0018
-
Filesize
780B
MD5a0f0e51dec968281bfc4801b1bebf82e
SHA17b22ffde46ed2c4da95be1238fe68b5d672c3f4e
SHA2561da34ac16a284bb61797817b59a97fb0470932e8c30563a65bab0f55bf301869
SHA512f91b60bf480ac15a759900ac17b381d5e6b6eccc73e83d1f9a0f5c318678c2d63ebee32ada66364ed220d89b76ecf5709d7e87abf08bdd5077b724b0f78a1684
-
Filesize
266B
MD5bee2ca84314ab30eb618bdb751555669
SHA10329594ab22804b031f975d06cf6b657076e54f7
SHA256e952f112b8ef3724012ca320e9e4b8eb23e4fca647cdef5ad916cb0123779768
SHA512474fa1bc8bf4ad76cbe4f2290fbd80447e918c09c52d1bd5e1c884d828e2ba371a043c5c3c1f1fe92f733388a0926d4d748e963bd0ed787030b8230b752f9e6f
-
Filesize
1.5MB
MD504c9152dc94eab52c92ddf3133f3ac7b
SHA159be48b0636b28831dc5436e0fb75c27d3384cd6
SHA2569dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1
SHA5126a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
72KB