Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14/12/2024, 10:06
General
-
Target
3aa1bbd17d68b0b67b7423f1fe09b05b.exe
-
Size
2.2MB
-
MD5
3aa1bbd17d68b0b67b7423f1fe09b05b
-
SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43
-
SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
-
SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
SSDEEP
49152:mx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlH:QdPpDYbNiIP2cvxZH
Malware Config
Signatures
-
DcRat 35 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 11 IoCs
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa1bbd17d68b0b67b7423f1fe09b05b.exe"C:\Users\Admin\AppData\Local\Temp\3aa1bbd17d68b0b67b7423f1fe09b05b.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Recovery\WindowsRE\Registry.exe"C:\Recovery\WindowsRE\Registry.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5232662f-518d-448c-be32-5639c3579356.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600ecb4b-5e36-47a4-b903-68022daaf2de.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02c8a49a-8e39-453d-840b-19e68a8fff61.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2a95b1-7461-4539-82a9-30678ac7ece0.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c6ef8a-a494-4c78-b54d-dea411e88c13.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1278a3b9-f60b-4f73-9fcf-718ef065399c.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04f5945d-baaf-4d56-bc59-c347ff87828e.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d002079-1d5a-4279-8f68-2f759e7d559d.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b168fc8-bdec-48fb-9b25-5b81eda6b726.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bb328c0-c539-4e81-9e11-31dd79f6454c.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8192f27-8fec-4b8c-beaf-6a2f36b0854b.vbs"23⤵
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d84d4d28-45f5-4a6e-b63a-cf8fb1e4956a.vbs"25⤵
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33311d75-efa4-4092-91d1-64e034bb5d82.vbs"27⤵
-
C:\Recovery\WindowsRE\Registry.exeC:\Recovery\WindowsRE\Registry.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b76c223-9704-43ce-9cf0-ce8c87e38a9c.vbs"29⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88301ed2-88ac-4c80-a63c-cdcd81535908.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80a37e79-2560-482d-bc99-3de8e66dde8c.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a73212e-3a27-4221-98c6-bcfa215fca33.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b841718b-c799-4f58-a00b-a0cb2176246c.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cb5eac4-37bb-4a91-9f2d-f20843a79e33.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1a22eca-4163-495c-a812-7c66702b3a81.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc380726-a9b9-453e-8fcd-61a580e0d8f5.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5f3a7fe-41e7-49d2-bfe6-0c7d11198323.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\134bc14e-e2d5-479e-a10f-534918a2012d.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e181cc6-714c-4a85-a830-3a877c1146f9.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3c5331-fea2-4a72-9bff-749e18519b43.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39395f90-5dd1-4514-a06b-4e96e75b5481.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56c18243-f0b3-456c-998c-b81cb35d664f.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc17cdb1-bc37-4b79-af5b-d24c612ffcbf.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3442511616-637977696-3186306149-1000\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3442511616-637977696-3186306149-1000\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3442511616-637977696-3186306149-1000\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Templates\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53aa1bbd17d68b0b67b7423f1fe09b05b
SHA161c43b8f31a51d772fd39d5caa87699d74971a43
SHA2567362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA5127ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
710B
MD5c17b5b1f2d7155b353b24290773f7f4d
SHA1b448433b44c4827db69f7ded98f93a0d0f8a563f
SHA256db65401df2291987b1c3329bd2ba16854912e929b56d3ce61f901715183efd4c
SHA5129d7714c4ef4e4465c0ab62a11ad13764fe8a8ea3857481fe8279e0d72f6d5b70dc2cd87858e8f9538aea1e251990426dfabc5c0a0a7f83eda30a90d064c5824e
-
Filesize
710B
MD5978c44ce2c83bd0d23808f8472a75220
SHA1173f9818c44ac50041d9c76354618252685f1425
SHA256cf07d3dcad95f68cca29366f9c3d83ff3ec74d88e6d1e71560beec251a41664c
SHA51202f0422dddf5bb959179f6cbd5167adcf3ea9900a981dd76f30551ec449a8141e3a1e577485009f7265727a3bf2d2b0d4cb541f1299c336033467d06fd0c0d26
-
Filesize
710B
MD57c3bad4179ad8164559137b8369b26c5
SHA1d7d153cdc51b35deccba9c52146b376bd12c2bcf
SHA25677b74be2e6547281c5023e02c0b170e39da02077e349f2352b19566df95521c8
SHA5124283459ab993c87d79ff1aa617f0174d065c0529406ee4b2d1164df827efb51153cad91ec3d6788ee26cf9ec774c279ded52f4313c283f6ffe298d13f2477979
-
Filesize
710B
MD50ba16df4c7f9dfcfda7b28448152812f
SHA1664a5571ef2fb9d02133548ed17f938c54d42081
SHA256798feac188d1d7d51f96de546f885c1b53b86a71c9d4f178a7d23dab425345b5
SHA5124573bac08ad65bcda987a00aba2d761cc0ac14971b91fb2afb2da2a2f730b76256195df21cecefc97f4e17a0ca805d7f08ee4bdc21adc007716e9db2735fa532
-
Filesize
709B
MD57b3c7d979c7ebea016ffbc10eff3aa0b
SHA1babe14918027592c03f30776d78960bf7484e57c
SHA2569b1c8dc0a6dc11e3f8baf9f6dbfd65b9fb51601927d74f7742960b56fd8dd7b8
SHA512b3e48a2a03a21c982f10288e1c985a3bb3a263c456c891a4892dcd49afe31b44d545431c2b42c72514f9c2f9e1aaa0c9d500d7f6ef0057eebcb9ebe833526fa1
-
Filesize
710B
MD5946a76f717d19753816c554c966e47c0
SHA18585f22ad29df70f2e4e837feb004706789ffebd
SHA2560577632316bf85ee7e9c8876e0b8ec6c2a7da91f4f831d61a44a466d4ed3371e
SHA51228fd0da94d8bcdb37769bae453a58b155eef9ad8547d95715d94575f12db6a49c584300506c6195ef595befc7b6c1f1d4ffcb513928d9d1f35956ddd4033d55c
-
Filesize
709B
MD572be82c9076291b0d12520634c67751d
SHA1024c665c730a8c31d78ca140a8dcd0b9cb58b75b
SHA256a5a626ac00291c5c164e56855f06bf073b7f8d092b01190ffcdfdedbfec8ad3f
SHA5124fcc920f3724040a21ae2a74d3b7ad073fcdf8ddc4925bee0e35d384d6069d81c552a274390fbe24af60e7d8f23496c85c8672f7cc0ac125508dc049251797ee
-
Filesize
710B
MD5e08a9df1a0a3bb3070fa9502177bd9f9
SHA15fb6540ac31cb4b28be32da117235e0cbf8cbc07
SHA2568ef97783cadc5ae53af219b2157a1e52569579041062cfe27a9e3618235bd02a
SHA512057a0afb8e7f8fbfd8ac3e894565aca73034cdd3d42fa492334c90693482d1bd45125690b57d3b144394132979d4f4ee5e79bacff976b6884b8fd8f9af6cab50
-
Filesize
710B
MD5b98da492531a95686a3745ee86e8f9b5
SHA1e7c8f2d80350165ac1698e0bf54224c0c5288ead
SHA25685f2c94e5c9e6bac1539abcfe2fea60e69805df239035979cf560dd4c07599c7
SHA51268bc09b0254ed5da806a035faea79c3b959f0c78a5faa19438238602290435b157015b1bee1401916f8d89c158492f95c9f7571720589ba92c30988bb2480f5f
-
Filesize
710B
MD54cc1e3fa5d0a81b7d7dabad03c2f1cc3
SHA123633c566c38b07a39441197d0aa864be2b7b641
SHA256814b160891416886ad49aece0f9c9b5a82ee395a2884b45ae2e1337ddad5c1e2
SHA5127289f7bbae1f6f5e281a34e9c91d27091ce2911214eb77e5cd4703d02e1dc139936e6440d019850ddc68f0459827b012629244fa0971df7d3ddddf94f61c22b4
-
Filesize
710B
MD50ab286619def7e361787f46a0a7484af
SHA13868b01fd6cf0f56c63b7f156e22ac046f839ff5
SHA2563bbb628e0f911e3cc586545e3e06fb67115923c43823c59049a156829fb5eb4c
SHA5125aed9f11de65405c4c45b6033893c929f0c5184955000cc2bc241933eaeabc95b07b2c4f13cd32c6c378083c3237b81f644fa72e5a74e6474dddacf1d9b79b05
-
Filesize
486B
MD59c1e5230f1860c59d3d11618e5584d01
SHA15ae203f3694660ebf00c8527b84585a4f69d43bc
SHA2569c6aeaccf33e3644aea6dce49eee5d9958671c3b68f905c39159f4113f7ef256
SHA51268fe748c74a6f3f64370029af3af88a46db188b96a8c93c144fe8fd3cd73da1f5c77f8aa108a25daf565c01bc8b334e06bf805220fdea31d0d5315d25a0fae51
-
Filesize
710B
MD5d22a9d1c3d8ff7fd0da808fd61af2837
SHA18b87ba58842e4bee64402859f1e15f8197de37fc
SHA256dd3e5c48ad86fa270cabae06966e0e6bb4b1b7c37095bc32ba00001bce35b060
SHA5127b40562a2e844860f78ca6534ac5f1d19dce5e6258e8445ed4202d0f3bc4baaf3bcdabd4ac6caec387edfd64cf19d8db57727ee623d9069cc6287e9a741c7506
-
Filesize
710B
MD5875ab52dfdecd13752cf9f0ecdf6f8b9
SHA1ade3cd2547f088af2e70ae7f5c54b7a432f4a6f8
SHA256c0ed01362c2c96b15a3b21fc227cffcee5bbca6b18c954b74d628c9c2af8caa8
SHA512e70f8dc544ce102eca32b5fc242b0dc551b85ed412bab5a9958db4955cb5b2d01221eff9766090c5eb37a7143017dd9d8a6f013e98d704ccb26f92e3cd228d9a
-
Filesize
710B
MD5022b301fd3beb8baf60973f16d15e87f
SHA157544fbf1f93ea0ae4ed3532b4c715f2c4af2b84
SHA2566dd91fb993f926013494b839e0f9b5ab1d8ded8366e09754636a16e40ee9795e
SHA5129f2897e432bd6b990f09de320f27737cc0b9af09c502f22f7c5abf88119414ffacee0acd650dbdfac2086075940a2eeaf2f36a700f1d6e520d96780c41e9770b
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
72KB