Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 03:06
General
-
Target
8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
-
Size
1.5MB
-
MD5
24a6fbff4c43f3aafd8906724ab7a21e
-
SHA1
c0f99114a21e322eabc8ee370993ecb09e984121
-
SHA256
8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354
-
SHA512
7daf7fd2890acad093bc7f71db825a9e13eb60fe188d3cd2de44d7994db25e71576f721005fdc9cde0263aa3fb25319235fd9611862ede7f6dff0c0d00286a4a
-
SSDEEP
24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK
Malware Config
Signatures
-
DcRat 15 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
-
Process spawned unexpected child process 13 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 51 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 26 IoCs
-
Checks whether UAC is enabled 1 TTPs 34 IoCs
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 17 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe"C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\win\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NpcD11qco.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe"C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDA3\conhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Idle.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SensorsApi\spoolsv.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\resutils\dllhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\IumSdk\lsass.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\srmtrace\WaaSMedicAgent.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\odbcconf\sihost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JdMTxOovBw.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Windows\System32\IumSdk\lsass.exe"C:\Windows\System32\IumSdk\lsass.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7767b6d9-b937-4037-be66-e8e0695a6c97.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8c8cf5-0ea8-47b0-8711-be71f58dc331.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8240f9-cd9c-45b6-bcd6-15d79149399b.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33d43482-5db3-4365-92ab-49ffe511f934.vbs"12⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15063293-1f48-4f05-991f-be8cb9d9578d.vbs"14⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f9bad6-b953-48f4-8335-cf36154f9597.vbs"16⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7506390-242e-43c6-8cfa-e2cc3a425a66.vbs"18⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50d2cb25-7bd8-4013-82c7-185c308a0256.vbs"20⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba0b29d-7343-4791-b84d-b28ffef2e82e.vbs"22⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1695a1da-385f-40a1-80b1-47f7e074fe3b.vbs"24⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac6d56bc-5158-41c2-985d-c341459b3cfb.vbs"26⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93553afd-dd78-48cb-a8b4-17bfd1b246b1.vbs"28⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9975add2-a337-4f06-aeef-46ed80ab0bee.vbs"30⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e911eeb-ce68-4ded-9c7e-fff6c1f208d5.vbs"32⤵
-
C:\Windows\System32\IumSdk\lsass.exeC:\Windows\System32\IumSdk\lsass.exe33⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e87c13-bb76-459c-9215-7614831b16e7.vbs"34⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92f460c-7065-4cbd-9c84-825c67d43092.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6202d20e-45e9-4b41-a3d9-ed98730391aa.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad9c07c2-d4ef-4595-ac51-60e4addf1e37.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f2587b9-ba56-44f2-9e04-06b60a171da0.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5254188f-d327-4102-b7b4-1a0978e56da4.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a985242-d3aa-4bb1-b066-875a5fb7fc31.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\017b473b-6017-45ec-87a2-ab35f92fa7cf.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\094226bb-4375-43e9-a624-5460a3ff9405.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57bb5d09-b6be-4f43-87c3-79ccdcfba6ca.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56460253-3abd-470a-9493-eb0dadc6b505.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38b1558a-1b11-4fce-9af8-583a470370b6.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9a0fb20-7506-4fda-a10e-cf649261d3c6.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d774462e-15cb-4a93-9607-2e5e99f9c1e9.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c10a6dc-fb2a-4c91-bb49-b472907c828a.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd832f1b-7530-4313-aeb3-7f915f7858be.vbs"6⤵
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\win\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDA3\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\SensorsApi\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\resutils\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\IumSdk\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\System32\srmtrace\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\odbcconf\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD524a6fbff4c43f3aafd8906724ab7a21e
SHA1c0f99114a21e322eabc8ee370993ecb09e984121
SHA2568db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354
SHA5127daf7fd2890acad093bc7f71db825a9e13eb60fe188d3cd2de44d7994db25e71576f721005fdc9cde0263aa3fb25319235fd9611862ede7f6dff0c0d00286a4a
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD54c557aa00dc4a6ff86db4be1735e9d30
SHA17c155ad08e280926832bdad0aa948843de2ce5a2
SHA256aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48
SHA5122c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2
-
Filesize
944B
MD560945d1a2e48da37d4ce8d9c56b6845a
SHA183e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA5125d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed
-
Filesize
944B
MD540fdb5644dee90b80ae15832b95acc3a
SHA17c2d4c82de09b1c48d4d5086c6e1eb00a3aecdba
SHA2568085e921842e274c7fee9730a274c85f42dbde9b20d6c8708bd682b2c95cdb08
SHA51259e75b50eea0b6e661d3cbb09e067534fab67038ac89e551afa512a970ccaa5fc5bb4be3fbb56b1a3f785285b3acc3d30d8d71dda479f66b8d69d2301e6855c3
-
Filesize
944B
MD5dcee2c4799aaf7d786c7a18e235934c4
SHA192b08222812d2c4392cd5babf316c6509a1d202c
SHA25633fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1
SHA51205986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32
-
Filesize
944B
MD5575c67abdb0b2c72de0d9dd38b94d791
SHA127783f259ffd096b21c02c70cb999bf860183124
SHA256fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc
SHA51261b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774
-
Filesize
712B
MD5e521abc1b003a4563bfabb435851f8bd
SHA16fedfce541038571a5a4abb4c7c56a2824a66273
SHA256f37a6ea6b5656e18f34f8177a339be38012c83fcd0ea2157b21b0b72e22ed829
SHA51250f18941f71694e87c06600d65b1b865624973b8ad40b6e16a2feff8dc2dd5640d47291277c47f8fc6f6bb41a0e8df25efe9b1c08be1419c87f1d415cd39199a
-
Filesize
712B
MD5dfb3f30a61a1b23ebf2106a8ad7696c6
SHA14b875eef8f78bc5fa96cab7b58c2aa521f51fd28
SHA25664e90f154702d40ff40868bdf3773f9b219aa972e4cd40ef5747fad3499880dc
SHA512898cd43d02572fe199a6c32cbdaa9640f79ed2de623d50e7e0f741bac07d8c6c0ad0b1cff855743eebb7ea57c4ae1e1aae40afa9b1165711455cfbe9af0db15f
-
Filesize
712B
MD5ccfb7eb3040ea4906b94724b1a178d5d
SHA1bc1ce66e7efbb846985fba54e6cad4ecc273b9cc
SHA256e7537ba2f66cb0d43f61b37af2ae63ab1b682dbc522810e63be4dad09e2535c7
SHA5121a2adda5bac460444e18e7101c8a0db6cd2f055431eb450162f35d962ac7ff573728e2ea20f572cd967cc426beb91049ba5f32b28081a06b6c8651dd4a7541ec
-
Filesize
712B
MD57658017ed0b13e54882099cf87089c59
SHA1afade8ce9b3a44816f18bc869ae46c442fba59cf
SHA256615fdc31822e6effe134e2707d6335c88c506ceb9c9d8753dbd76d5c7c1fb1de
SHA5125291b4866d29e6254b964f7a61dcd6e65e131df9d7698889a14ae95d33582df0f0e4157cc0b59e64757beb872269513ee01a257f44d41c0c31ea1756951a39a4
-
Filesize
266B
MD5654418874f9fd7483e34fd56384379ca
SHA1146de7e0448bbcb10453f9a0daa97aa0264ab965
SHA2567d6e6699265234a2571819c3d09041b059e57be5251602c01e10af67a2ba4fc7
SHA512edb4f8241eb1ada9d06a20506395088157b61e1e65edeed1cf508e34256335e9285dea2c47f51ffdaef56d490fcbad2518d8a049f12ec35d1ab2df3de5f99fc8
-
Filesize
712B
MD526f64c045a266ce969c4d962ac4980b4
SHA157951991786b8fad6942471139418087664fc818
SHA256b287264310476a2efec6adbe709c5123d19e010e7f5fc3e78c88f596749a05f4
SHA512a264c696ce440bdc3b6fd80d57b058b26e24d23d591f8a30d548d635b488a9aa4b2464c902361f53b19a31066fc2a205be9f9aa1bf711681e3b0a3878a0de6f2
-
Filesize
712B
MD53cbeed41135be1b54bd524e8229698d5
SHA19f7bd389da59a91b35897a5e3281b288ad8e4878
SHA25662235a171e2e2b79905dd9b5fb045ddc0ff3be547059a5682c02eca194755fda
SHA5121fc434a44c81bff34beaa849430864b9196427151591895ae7b720c875495b6d349a60bd1eb4a79df93968e1d31ae61bba8054de2da85ac351db12cf2ee97921
-
Filesize
712B
MD5ed4039a95e43ab4d74f223ecb53f45ba
SHA14d8728b24833b86cb36d424b0e7e66ec84fc2595
SHA2564e093274a2bd820fbdfcf49e9565f0a8dce883d6bddcb355f2cc734583472152
SHA512dffa40472ae6d88f6446dff9f5829b5d6f43a48987155ba4894c4240ff15ceded45fc65b7888c7d2fce8fd66eb5746646df56f79e381bc5313f93e6fcaadc55d
-
Filesize
200B
MD5073871350ab5cd978dff9aa6fe8de02a
SHA151a65dd4aefc5d3c0e4e5e3d5025ff24990ac767
SHA2568f6e8bd6cd39c6a74cffc53e527f2c7e138d6eb7858d8c51a5ebbbdb4b4f94d9
SHA5123abd6adf92e2b42ec31fa78ec76b798f16f764c3bf1b1b088b86e8073753ff92a73d82a6e73aa7b2b8b5568da3063b67c0183a0d9d82274a72ccfd1ccd5c8ab9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
712B
MD58d628085a93ec4f348b00c65200743c3
SHA1b761fbb4021c0d43a2dd78aa9bf10e072702f07e
SHA2564c9c50af317ed789d7ffa7435d34857641a04efc2f777a7c6a717c7d2fe5ee3a
SHA512a6c6cb07863ea8e88d1461d2f2b4805c580b623ee4f28dd4eb67482172999f56ee301c8b41d7a4c6709888d3e0ddc66c7c97a007b0b68973e20e44e4af984c0a
-
Filesize
712B
MD5f9e6046d4c49b9ab33e1fd1af585a72a
SHA14a437300fb0b1ded20bd9b206b7329206743ba03
SHA256c4bebc55a7a6b6e0ff29608bb66e0f914351b364f48d20eab7942cb338e497fd
SHA5122c9e7eb2e9895f8dfaf626b7cea0d0bc4556ea17c043257b19aea325d1e9a8461db5648dd21d75c71b17a1744c5848c2eb5bf25b6ff3312d8e028f82607da6cb
-
Filesize
712B
MD58dc38327963054b909d13e48515a1112
SHA1af985d39803f3e28631616f8b7ba2c688d1a4461
SHA256d2adef9e53903af09fd37fc786211a751a911840979c58ca3d06d527ebf417f2
SHA5122e6dbcc825f4c636b07ee0bee0935697a6e15641c64be8c3b5890e95c4cf67bd23fb5d329d4a67c5747231cab1eec2135880a227b709d1db06571e0e0efbae53
-
Filesize
488B
MD5918dc854b354a375d9518fc823d9b2ee
SHA1da035a3e15ad6ee66388b0861a3d73a80c5c4247
SHA256a83029bf5f00813ecbdfa73336de021c7b6f8a29a6b3ef52a8048d55beb6a947
SHA51283fed2dcb3176ac78638075fb8da69104f9333f73bce2155c5cb72fb1c7fd0dc3909b91d30caa204027a2f9e30a1e9a2ba389e502517b9e6e499cfdb3ed497ca
-
Filesize
712B
MD5c794f8c5ec682907037e893fb695e0d8
SHA1757d20c1efbf88a776311d3dd16c0151e24ede28
SHA2567eb93628ce3a79afde6a5e5086207d10aba31858f33045707edcd5922cffd1ca
SHA51292bd6141c1a8e90662f7a859a468e07aa06e63530513453315033a4080184676d9c9b7507910e8fc8ea3480a76baba97bc4009e59e85f2b23fb9422c209f9fec
-
Filesize
616B
MD57cc04377493d4621abebfc910560a423
SHA1010c99f38efb2acf2c09b78988e4aa03e06ca4b6
SHA2565318b20da29acec3ca32a02ee4690cea2d9de73cca2ffc3c03318a85ef165e6b
SHA512d80fe3eed55926b4f3b999d408be0fbd169f31bd863adc352026e45c1a359a4f574d98898a1d07972f941b0e495c798ce543bea7ba538e92e505c892ebda315e
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB