Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-12-2024 02:51
General
-
Target
0bc68db77e687fa52b2f367994c5bc6f.exe
-
Size
2.5MB
-
MD5
0bc68db77e687fa52b2f367994c5bc6f
-
SHA1
ecf69c28aa53920f6279ad29d5bc9bb02542e841
-
SHA256
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
-
SHA512
fdb5c57a9a86961e895159543196c9b59c810827d82d7610ab8f9e220125f25c1867eae376c2f2aa1ae19b7899cd746dc18f6a56486cd4449766325a135421a1
-
SSDEEP
49152:ubA3jUx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlHz:ubVdPpDYbNiIP2cvxZHz
Malware Config
Signatures
-
DcRat 50 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 32 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe"C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Recovery\WindowsRE\SearchApp.exe"C:\Recovery\WindowsRE\SearchApp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2866349c-2cac-40fc-91d8-029e887ee362.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d719448-0312-45be-885b-d85631969faf.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4dd011f-8117-43d0-b719-bec35fded293.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ebfff7-9ef4-4b2a-bf6d-409051af6b93.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21684dec-76cd-470a-8f92-2f24c131ac86.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d07280b5-a31d-4b80-bc04-c5bebad02cdb.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681e1524-7c7c-421c-8b31-be61c7a12350.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b3637e5-173e-4e99-8131-3b82c45e13f7.vbs"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ae1b1e5-081e-4548-87b6-9427419d7267.vbs"22⤵
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c51d4d7-c128-42a5-89d3-8355bf7ca0d5.vbs"24⤵
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd5c6143-f73c-4474-bdd4-ba28c3393d75.vbs"26⤵
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ee79695-fc07-4322-97ce-777b163deb5c.vbs"28⤵
-
C:\Recovery\WindowsRE\SearchApp.exeC:\Recovery\WindowsRE\SearchApp.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f46cde4-b4fc-4df0-a58b-7e60a56a0713.vbs"30⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d74b925d-893d-47fb-97cb-ed7185bea5b3.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da8d4303-7496-4e2d-b622-6017573edb0a.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\275760d4-6930-42f0-b9e8-5a6de19453fc.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0dba52e-f659-48ef-9b80-add25d706dd1.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eb0f0c5-a084-4b80-b4d0-9fa48bc8fb24.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ab5d7a5-29fe-41ca-93d6-af0fae185b07.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\943b1261-617e-494d-a793-59a9d4a055c3.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cd05bbc-d526-4e94-96de-f1c3f7fe5048.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a726626d-a777-48b6-9b0f-7c66d48a592a.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dffff91f-ed95-4d7b-af8a-92b25d01870b.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1326c25e-29aa-47d4-a901-042619d4e054.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d9a57e8-3f7d-4cc9-8df2-09d7cf582a3f.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c422890-fc4f-4cdc-9251-af0ad6ce792b.vbs"6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\file.vbs"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\comSurrogatecontainercomponentRef\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\comSurrogatecontainercomponentRef\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\USOShared\Logs\User\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\Logs\User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\comSurrogatecontainercomponentRef\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\comSurrogatecontainercomponentRef\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Containers\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Music\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
711B
MD5f24a1d5760512e1aca472aba4f59034a
SHA19d1ab64cbf0b0c01aff305daa60c55bd1f828361
SHA256d2ec4f92ee160e11a0667c57e032d6290a4c170b92750273e8f007d94928948a
SHA5120e8a1f30c76927d0d457bffe9249db2e9977e63ae188749815d87f74325709896beb6bd65a88ec800f7991e74178766fc94b36a0586ca21f89c6f4cf00b52e1c
-
Filesize
710B
MD57c64197e277536e61227338eb3cdc11d
SHA1e39469d636267d0bcd68bee8cba0696d6242d853
SHA2569f5903d1cac8bbeeaeb3198d79d3d02131b2c081e5c74b7734381ef72cf54f37
SHA51224d5371e6d7b19b12b9c1411e199a785d2b4ff6041f4fa7877fb2732c62bd9b743461dcef8dec468242de44592bc6ef302166b85af3f49159f36cb780b4e8afd
-
Filesize
710B
MD531290d58d54a90790ff7e70393a12b4a
SHA1ba9b3a5c99044cb511ee1950fcf1de081ffc6ffd
SHA2567f003b286e1d5bf6ff85f979145ea79e86dcf37ac9e07c89d2ac9c9ab746991b
SHA51252295473b96ff940f1fa1c5ee6b0c510e19c99366712abbfcbbac589a89600413d8fd83ec0778b55f339fdd7ee539cffbf4c5d552cc396794aabb590d960ac19
-
Filesize
711B
MD54b42f7ab4d435e0c7932eb381ca5b0b4
SHA18ad665d8bd2f6bafb25a43e84dda3979a30272b4
SHA25610acf3abc09166e3922d32ebe4501449af80c46581a6111e09d292e744cec369
SHA512f398eb560fb41ee28e725d1d23a05eba114eb353cd80bfc6f705535a22f3e4467ed47853de72f3047da4cafd8fe87a2e321192a780cf74a62dd4e9892eb5a7d3
-
Filesize
487B
MD587ea3f843c53fddab88a155bdf96d4f8
SHA1ccf83f85a04b2dda26f13c02aa5ff75f8bc2500a
SHA256d12b998f2512aa96c9e309b2ad3b7432f05edb7aedfbd3bd1cbc6635a7e201ae
SHA512a137ff6a43045463ea368809143a6704467a4b851493c910b835ff2cf70e38df3f94245e8699b0b021c8e4bd194f89d3335ea591d2a605ef191c2aa66140cfee
-
Filesize
711B
MD50429ad7cf3db5f70f8e522e9518d0b43
SHA1eeb71501b769b995f8a4b4d56898c72ec610acbc
SHA256f7aee1ce38e43241e5187a7f698b257e4b55d7d9ed5c84636df6a614fae7e304
SHA5123836c1bb7161000ce73892bd06e0b0b3e62356b9a4f82f2c84556ef57e85ff37c4be658386a66cc062a43f32feff58182a0d270db6bad4aaa1b023eeaeb31dbb
-
Filesize
711B
MD5c21d4777924111d19cf5dda1ae64549e
SHA1d66734b2609381e5cde0d8b30de7d2a2ea90d239
SHA25689250053d94e22a1ac790525eeb0a67e37c41ce0eccb407a880a1b602b248f04
SHA512ceb64676ce0dbef70e475afc85eca2c247f5f021c3e5ae0203aec3914987ff6a52ceef60fd714d15e2e7f1c15b6df1d178b60e5a12e9991b6bb53e1d1662368a
-
Filesize
711B
MD5b5e50cbfc78e081f803ba1df3952d947
SHA142c0ea51854cd823f82cf2cb4ebddae54cd92e57
SHA25649bec6950191110fc70f35f271945428651a118eefc3e7a02150d65e110ea50e
SHA512b2dd28b283e817a5341d2edac05e750424fbdaec8b14685fa41de1762ff633fd661f415ceb08d29dc75ad96e77e9b498871883804101096e3cae8882daae1a3e
-
Filesize
710B
MD5a02892c9bd37ddbb26c1ebe7b7d35cf1
SHA1439dc24680f6d4f7ebcbe6d4ad832485439b907c
SHA25698703de5446db4056cb9ee216344858f636a15be4b1829eed167efd7a9c6be7f
SHA51295840e5caf9939822909ea26676670ac027b5779125ad87c5484ce5464b98d46e94fc76f051290988ee1e797621c21dee6174da281c627ffaf2c590e790ffa43
-
Filesize
711B
MD51c7f683060466efb202e1d5a6849462f
SHA137bdf95f65e3839de245202594f38b44ab894ba3
SHA25636a10aad31168f7417efae0e758df3015aae79681921eb76457a353e86fbd94e
SHA512b8e5b279b6e9222e3f89c455d01fcde7798e1804b844ff5b8af642a0418120192becfa1287e34cab74e3f3a0aaa15204db0c5fec52c1e43af41ea7a717c37e26
-
Filesize
711B
MD551705341b7f5382dac12451af552e2ab
SHA1ddaf39ace5c5513d6ec0fcd0885b58f875572e0d
SHA25650044da6a24d476fc7f6df3d26cc6c5ea3940dde08785a54bd47de25cd487125
SHA5121f275cf569c0b59313ac10fc9533d106d333bbceccab0048ff282677e7d81acbd49c883ed3f4828918cdb2739b922bbc6961256b7b985148a3df2f94ff1331bb
-
Filesize
711B
MD537ef94a519a8947a62ee03c9a960ef50
SHA1f8560fc9b79fa138e8caa201c4dcdf02a024fce3
SHA256ffed7f480f385ac19d44a6a38037007156fe452264060fdf98d69a21d843f067
SHA5125a3e43612fd1f826af891ad68e9ac1ebd56b9c0a5bc523dab4c69f6debeb7e7d90e3b78ff5466710a42c4066c040c50b5f4adeaaa100edaaf6aae9751766f3e8
-
Filesize
711B
MD537fce7484862f60855438350d3018fd2
SHA10240746f8631d11a33e0bc5ff5a99ec01a64949f
SHA25682874d22b2df35a2cc60a58739acd4fbfa60cec0e06af5c6e9f3afc89025423d
SHA512c3c9df41cfc64891beb0b5594507289b0c4427c5b71125d14fce31d0d64e7590988a148d779175e20f9b37d675b6ad542222119e17e79481e45aeca465e53d14
-
Filesize
223B
MD55d646684debbc53c0c7ec5fa65f23216
SHA1c161dec715fcc4156442fc30eaf6b3d0caddfb17
SHA256cddd4a030f867acb39a0e7697732cbd57bb2e5e9f0d81fc1e7d752d57c1ee195
SHA512e6518ff37848e7e92d9b820b3eecea2a0d0d85fd6804a8b4f4adf56154aa1a1d5433c3333d469bc8e2ffb9f4ebb4445f979467f970f9155774a670fe5446c19a
-
Filesize
56B
MD5cbba91293fed3dfb5a3a0cd0ec53b505
SHA16d66eaa19e366c386d006b8b782cda171c359c43
SHA256062cff19b7be8c7d9c9941f75b9225982eb3799a766ee73659251f7d0c0b299d
SHA512a97640da0d86256b3512d84c9a5120e41cb7ed47f3a61f8f4f6212804034a8e19a99fc35a3b91804734c93279b74b23737e31e224152d3e6a17e113fd4bca0f4
-
Filesize
2.2MB
MD53aa1bbd17d68b0b67b7423f1fe09b05b
SHA161c43b8f31a51d772fd39d5caa87699d74971a43
SHA2567362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA5127ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.2MB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
1.0MB
-
Filesize
72KB