Resubmissions
11-01-2025 22:42
250111-2m5qhavqar 1011-01-2025 22:39
250111-2lgbhsvpdp 1011-01-2025 22:29
250111-2effmssnft 10Analysis
-
max time kernel
615s -
max time network
646s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-01-2025 22:42
Errors
General
-
Target
DCRatBuild.exe
-
Size
3.7MB
-
MD5
072756d824448388227ca413cf9b30fb
-
SHA1
3774a14ae84e955c57a35f82da833d46cea22ed3
-
SHA256
0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a
-
SHA512
2a3953faddf9b6037a0a34499ac11011e4c22d931ba9e4ab174b0ebd7e1c1bade9546a6b970f6280402905159b42bcdc60c92a91e8dd39cd9ff14ddf73638a4d
-
SSDEEP
98304:yQpUIa1ishqq/x4XR09rQVkREwySMEX+y:xpUIa0KFl9rnRHPZXF
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 23 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 45 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\comdll\reviewdll.exe"C:\comdll/reviewdll.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rld2evzg\rld2evzg.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C21.tmp" "c:\Windows\System32\CSC6A04DB9DA085495782368D16836D15EF.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\reviewdll.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zRGIN2XwAY.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"8⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\PizDec.exe"C:\Program Files (x86)\PizDec.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3518.tmp\3519.tmp\351A.bat "C:\Program Files (x86)\PizDec.exe""8⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"9⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\hitler.exe"C:\Program Files (x86)\hitler.exe"7⤵
- Executes dropped EXE
-
-
C:\comdll\explorer.exe"explorer.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\comdll\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\comdll\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\comdll\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\comdll\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comdll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\comdll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\comdll\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\comdll\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\comdll\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 10 /tr "'C:\comdll\reviewdll.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewdll" /sc ONLOGON /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 11 /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\WaitReceive.js1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\play.vbs"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"C:\Program Files (x86)\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\play.vbs"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\WindowsRE\TextInputHost.exeC:\Recovery\WindowsRE\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\PizDec.exe"C:\Program Files (x86)\PizDec.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7A10.tmp\7A11.tmp\7A12.bat "C:\Program Files (x86)\PizDec.exe""2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"3⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\comdll\RuntimeBroker.exeC:\comdll\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
-
C:\comdll\taskhostw.exe"C:\comdll\taskhostw.exe"1⤵
-
C:\comdll\RuntimeBroker.exe"C:\comdll\RuntimeBroker.exe"1⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"1⤵
-
C:\comdll\explorer.exe"C:\comdll\explorer.exe"1⤵
-
C:\comdll\reviewdll.exe"C:\comdll\reviewdll.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751KB
MD56d2d42f4cf64f23def041b16c4a591d1
SHA106c9da003fcce27caf71ea4cd23f3897a4e8c184
SHA2569abe739d093133b3aaf5512dd0b6799ee2bc4b108466622b982d5233446aee6d
SHA512926195935e5b001f60dd26c1b4f36c89723a710ee8e4b6bf5a1c9db5918969b1aabbaa7d359a06e6cec84267afd2c1f315a30bfb46d1944b9986dc42dc099bd9
-
Filesize
237KB
MD56520885628fe337b8665099479cc1d4d
SHA109741f5c74b3525c31004c5bd19b0ecab835186d
SHA25613d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4
SHA512235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c
-
Filesize
10.0MB
MD5be9b8e7c29977c01f3122f1e5082f45d
SHA1c53a253ac33ab33e94f3ad5e5200645b6391b779
SHA256cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae
SHA51291514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34
-
Filesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5e54e1c1280ad00de4d4c9459bb779bf3
SHA14416134d95c6219450063e0f9b9dbf296e880242
SHA25653c278a43ff7d45585a3d9b16445eb70d8e0c6be1a6eab68267d61e8ac542d91
SHA5120dadc0330db8f957e4f488fce25ca96794ebeda371b9744a7e89ded59f965207511f64ac9af8df3d372724cedb85d928df9551492e47c3dbcaccc06dda5a8a02
-
Filesize
256KB
MD5e20664a744a8ab389050edb6febcc8a9
SHA166e1af1856582a53dd0587ec7645c8bda4e30d4e
SHA25605455ef71359a7c70daee63b56930ce209337a6ce70f6c94ec35623f963cc5ac
SHA5121ffa8a27ddf3a3271de212871768baa620d1d5cc634951050580caf1c66dd2ae32069614d8f6d33918da2c731a0bdfbf56f5a92b485e076317463650f2a3e3be
-
Filesize
1024KB
MD54bc906c92c2a521057afef3f3999efd3
SHA1e2c15c44abcbf3e554d6ba59417afec81d58d3dd
SHA256c42e661f86c95f0d97d0af00a17d270092197914454e340db35eac4d9179acbc
SHA512a7b896072954a665feb8bb124698d6bc1e178870bdac314e7aaa3ac8f75c25e5170e92876809b78228ac96241b14056be6b235bf6bca3e1bfe3cfe762dfe3d04
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
97B
MD5e6ba99d8293b4c7951bad0a2c6761b8e
SHA187aaf2d975cdef4db219e4f9f2b1469dd05a6b0b
SHA256773b2b8b752a5bfd3d93b7475dbb7f659bad014ffd06292ee0450c216892ac29
SHA512e6861e87688861f4c43d80f9e98996fc476a11d4e147eb3c55f66d6f1abc065690e2662dd34dca32c0284b64056b95142d932697aa1fa6d6b755ef0f57031ee0
-
Filesize
27B
MD5c7da66cab92e95daf435dc74fa5ca35a
SHA1924f2b0ebac4eac12c78b298697400a1b338a4c5
SHA2564ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92
SHA51228737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787
-
Filesize
1KB
MD5895174bcd88ad1c3a13f82f3325929ea
SHA1b37037d7c6adf945c86f5144848345525a58aa77
SHA2569554d1ea801908ec49ab152137107a3bd6b9284ad444b104a1b76fd88156132e
SHA512546d9630a21eac85ddd08be0e156665aac9de61024c3fddfac2241cf03c003cabd2e4197c6d80bb9a5f29bf04d573d00c06172a1a27cffbcedffb8d562702431
-
Filesize
646KB
MD5cfc09a9a46f1910b13200df435483c6f
SHA1cdd3cb2b197728d7445d478378e6140185cbaefc
SHA2564168c7692e7c8c02fe9df4752422d217f1a92247fcd90114ac419a58bbdf784f
SHA51234dc498968ba7bc43cac96d0e6490a2b2d0766c38824982c1dd04ee299baac969635c2fa4c7b962e5aa85786f40641fdec300c488627c898929341c02fc3a919
-
Filesize
234B
MD57cbcceb16259fc7371af338c0e44ed3a
SHA1b260e12cdc0079b4773ed93de0fe961062ee1549
SHA25652d886707355893ed4879c4865a3b135e1d9c870478bc0be273eb5259f9d9408
SHA512d528946ba9ebf5943ba83f62c8221f34bb027a2391f3cc65f4dc9473575a08eb3906e57f9c9769c8ee5586e12f9fee2f9eabb4b69db70bb30c7f832407c96aeb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
150B
MD58553cc93ebeb814998f5e97d940c85a0
SHA179b1f52dc9c3218ad6692361d38049c8110a8fff
SHA256c903e3f7b439ea416bb0cc9b0b6108afe490d22092dc51e59755d30ab21e8f38
SHA51289e4f35e4ff73cdb6fb529c6ac64d77466e264a9280fe9044d890a715a0eb9819b5fbc85d7e9fb332762d3e09c58cf8339c1019dda27ab7ffeed1b5935c0f585
-
Filesize
115B
MD59e242f8f35222db7713bf96248c7434c
SHA1a66a0c27eca4aa325bc3dc8d907837180bcbd1b3
SHA2565d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731
SHA5124c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56
-
Filesize
198KB
MD571cf668f8ebbceda772022165b460ce3
SHA199febb0f4f9f388a4f9aeedd1530b50e0790500c
SHA256321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033
SHA512bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63
-
Filesize
234B
MD546d7e19eabaed1a2f85b8a8424dac416
SHA1e06d990343b40ba693a9d791bc32822758e9e460
SHA256a3ee2e31da36005b292231d790c3103560ca7e9aa2f106ce8357b28e480d17fe
SHA512e99691e90149c41c00f4cb7c1b0839ce4c5bc3cee49f6275887404d3807e0c0af04901b7813231576e2cd1226aeb3a6c025bdee7d67bfc35cd7e33cf33b78a49
-
Filesize
187B
MD5eb4292c364e92458c77e875e2c7df7da
SHA1b53e0db95ddb58ecf519ede0d7a976a52516eaed
SHA2563ab7ad885c7422ef507d9878ea1b371c9b0c7e6bf3f93dd0a576c8d3bc850280
SHA5120fb3aeae473d6a6a805ed580833d6b6dd5a8e3c81500b2c054a3d6c22e75425118f18f8ea8a81daac2c4979e75ecff6979bd1c2b5becf88982b8d04abf9fae01
-
Filesize
3.4MB
MD5278bb3a4ab923948a0c4f83edd2dee9c
SHA18852d6a67748a8656ddf19cee916b155044680bd
SHA256b8046f1e47f1673806a5b2938f5194e2984a7c385a13ff8c9daeb378e5d66793
SHA5128b8db76161204c482474b010b2a5605d5d4e9543d67c4dac1d643860351e12eabeca733fbfc30011447aff660be27e3d80d48e88548408c4a8645e5bcb94c26c
-
Filesize
4KB
MD5480dcd6662bd84388c8df48387f4b5aa
SHA1aa0b36ab8a9e97469696a6e9abf27cc5550cd477
SHA256578c66cb3d081ede1e5ecf552ce9296bdcb9b6aae766dea2054808115c69132c
SHA512f7d896d43a2516e334c4397ebeb05f59819f04289aa7dc3397cb5e3a48271058c2710be7ef4694b5b7318242306a5745a24fd926a3f967320dd4a167fec0f04c
-
Filesize
371B
MD5883a2bc77e78c7038c62ee87c12aaecd
SHA12282922773e480bdee07c4e4a58e7676800dcaa6
SHA25651b3279cf337383c8930d9544bee05408a4f3ce30d4f5c198dca52916c350e04
SHA512b5f7460753b8db974f3df488d3700fa281b5bfb4e7e458a062eef90e5c3e56b3aac4838c8322dfe926bc7173166f40be3c53decfdd2a878c36fb740c608b0a52
-
Filesize
235B
MD5d1ad325b1396ad51b788bb90c4bee22e
SHA1f989f985ac0c071093b27d594b1c0296d703bc85
SHA25640805481051e4f73b9fdf56749de8fc9e417bec0d651719b5796290ba13725f3
SHA512bc99b28a6d77d41eadf994c186e511d04500acf32d3ebcbffed8818d06f335e83c500096ec609604fc32d2ec74ed78b2d72745bf3f7b8df7eb427500c854da9c
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
200KB
-
Filesize
296KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
676KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.0MB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
360KB
-
Filesize
312KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
3.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
428KB
-
Filesize
676KB
-
Filesize
308KB