Analysis
-
max time kernel
182s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-01-2025 09:11
General
-
Target
swift.rar
-
Size
1.5MB
-
MD5
dc8866f626aae39102d5a0dce1b3695b
-
SHA1
37ab0eb8b17d327d47ebfa729dd52d4f409ecbf9
-
SHA256
5a4bcc6593834b5aa0fd5ef8f9a755b78ba98492249c66dddfc2e77f1cdb0ce2
-
SHA512
08df2db96955f719eb50e75c45e97d30e073011efa05db9d6220a8a16e283ef17efb2eb2bdaf22878d3c96e20ac00d10a8c729ec98c420bbbcee498cf15efcab
-
SSDEEP
24576:tvHXV3VDGkfPggkNC2c2QNFvkLPQOA92+aBO6drLPMFdzXf8nU9aLSbQPZzARHJ6:1XVFBL2KFcLPJU2+idBLaDlqlPN2XcV
Malware Config
Signatures
-
DcRat 43 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\swift.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\swift-bootstraper.exe"C:\Users\Admin\Desktop\swift-bootstraper.exe"1⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskhostk.exe"C:\Users\Admin\AppData\Local\Temp\taskhostk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontperfnet\vOTd6vuk61dZGD6mcKz.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontperfnet\Sqt6qhh03BSr8GuPErIBdWq.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\fontperfnet\webbrokerdhcp.exe"C:\fontperfnet\webbrokerdhcp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Panther\UnattendGC\SppExtComObj.exe"C:\Windows\Panther\UnattendGC\SppExtComObj.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\swift-bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\swift-bootstrapper.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\fontperfnet\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\fontperfnet\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\fontperfnet\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffba67dcc40,0x7ffba67dcc4c,0x7ffba67dcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5392,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5268,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5396,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5796,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5444,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3704,i,2269411426855247018,28705189477894501,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5876 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\swift-bootstraper.exe"C:\Users\Admin\Desktop\swift-bootstraper.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\taskhostk.exe"C:\Users\Admin\AppData\Local\Temp\taskhostk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontperfnet\vOTd6vuk61dZGD6mcKz.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontperfnet\Sqt6qhh03BSr8GuPErIBdWq.bat" "4⤵
- System Location Discovery: System Language Discovery
-
C:\fontperfnet\webbrokerdhcp.exe"C:\fontperfnet\webbrokerdhcp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\swift-bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\swift-bootstrapper.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\fontperfnet\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\fontperfnet\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\fontperfnet\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\fontperfnet\chrome.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\fontperfnet\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\fontperfnet\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Templates\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Licenses\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Licenses\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD51efdc7f8bb08df690c3effa8944cba26
SHA19881b781d7222a63829002eec01bfb5278bcac22
SHA25603670d1cf9cb7f0bd16625fcfbdf3d17bda562d2f4230cea92c1acbcf06842fd
SHA512c9ca7f5e9f39daed4d290dd9b48840268127fcf1c52d0cfbb3b307803420be36306eee78ee9a3ae72c5ac8c4d85511283bb9f1c31025b2fed82fd616494e0c1c
-
Filesize
144B
MD534a33d90d56228dddd68587034055fc7
SHA1f6afeb22ee290bcc0f7d12711279783b064a09b5
SHA256a828cf33b1cda7fce0ef543271df63a4a528ceb6e4248ee9a5c635e9802f4228
SHA512a8260b8a856fae08202da0738b5bdb31fde86752fb38d0d6dc58178c5609881ec795cdad1dc2231ec405a87d83e64148145199fceb5a47b98565d7426101073f
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5f40b4c7a47c0cb451ceebe52a2e54abd
SHA186f05516d048ad127acd83b60d234a6a6e0817f1
SHA256257e37acaa36671391c1aafd8f4f03a26ff8c92f2eecc7eed7b75dda20c3a534
SHA512b8b7e476513e00e95a12f82bc2da6e3cf8be0da91f8848620f03a6c57af42d8f9ad8dbb51a21b30fbd87d325d53ed09795c2bdfca091e248efdeb8d10c793708
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5d9430bdbb9eb70cec6ec127b0fac1953
SHA17c5ff969aa5907155c893326dccef213cecc500a
SHA256d948f32b97d04ebf8526c2d0ed33a65785da325d836a85a7e3e418ad3e08650d
SHA512cfa36f0ad4e360f7bd46d91b62fd50a05c6d543dd3ed21a36e4b3c105298c08790d2f9d9051bf97995c58242406c8319963537a658629ace463011116f1fe1d1
-
Filesize
852B
MD5a987218eae9c552f8826db44249b8e0f
SHA1307966282aa6dc347a00fd0c225bbb485eed716a
SHA2568291f5bb4ce1277816d0ea92d85b953cec3ee740a2a5be1ecf1257a17fee03bb
SHA512f5cf53df8159322e5dd61f0031268c987a66ad3f98ac6e35d16a97fbd8516c3adb9665ea394193678a7322a41162985f192bd127f59bdbd86b906e7f4002a999
-
Filesize
852B
MD57c9d1d8a9c5e4662f7e7e5c1a89b44b5
SHA1242b5c49a8da8b91ee4933760191a5aafb7ae594
SHA256d92161952327ea4292bd123f467dfad9c48530f0d6f8f9e6f74cdefcb64eab80
SHA512c51705872a125ddead8e231497481ad79bdf344ead2f1a441d9ef8ab9121597543166b17ea037e78b4c432c845111ef8dc1ec59f2d81e8515817a9d145da82cd
-
Filesize
9KB
MD5e636bb013f66115c458fa6fac9b6380f
SHA114fe1a547f0f0563ada210e1baec85a150d2cc39
SHA25687d76788ab1ef481ff5d4987d563cd36f0a7ed017c6924ecfa2199711bee6f2e
SHA5126db696cc217fb08d6d7b435e7c9cadb6f0301a1181a7b83970dd5fba98cd8d0f23bc5d868d58848752fb55c0cdd689902961e4171aee473f45b968a68470f483
-
Filesize
9KB
MD53dfcd2a9b94b48e61d173927688cce1b
SHA1de253cb4fd14c797eac7c6fc5a3e2e901b81abb5
SHA25660ac290c604cf8bc3267b18ef8b48e44ce5965b762fc59c4d916f6451cd795d8
SHA5125aed68c43c20a0155b138179f4bcc46afdf98a68cb3017047cd0c8bc9059b65365d0c9bce8dbf32210de4e968bdd6bdd8cb817ff258595b2738955c67311cd41
-
Filesize
9KB
MD561a73e7b57cfcee9319b6d1907778cb1
SHA12c565839d950fb2e4f1e01a14d69482d2971f516
SHA2567f8f1f344c54cad758658549e5716cb6d0d546d5a2583e1393c7428e5d7790f7
SHA512a9ba483417eaab2b7d0bbb72beff16d5f43b43937ed72ae91fb2b9ceda6413e77f7fe71ad6879ae613c6ab0da2c95128bab69eb99b9452cf445e707f887dc701
-
Filesize
15KB
MD5ff1e9f4f81375acb70ef0b5e6b474d9b
SHA1b1815e9964922fd55903a32291394200dc609086
SHA2564e2c164d5c97909c5a103df2a9d3dd4e333a8960117967376b6bd3d17d892509
SHA51224e055b3ce67c8acb1af394b09eca289b096a42a45bdb50d4a228fdc1808dbf8cde81b112710ec663a6e5ab2f8580a1028cefa3e22a9c4104215d871959b99a5
-
Filesize
72B
MD52c6c5678331fdcc7ea53e5ce70e05eb3
SHA1e6ef3dcfd760e5d168a33ddab2b86fb39ac619d4
SHA256f523abaf4946f74fbd38828c748bf827f39f63a72ff5cf070cac65ac10f7be8e
SHA512eeba529dc65c233caaeeca43f16e12e94e0434d77b524653b00987ee59d81639e393e9f051c58da626c30dc1972a9820cc568f9b75cf4fe9d9b70aec45f20603
-
Filesize
233KB
MD57a00c7f253e32e5543243b8246d5b84c
SHA124d5721f5002cf29be1d38d4fc68afb11f190d35
SHA256c701b844f5d630c0690ca99a5c66ed8e4b810a55eda2aab29cceee1f0980dc62
SHA5125211948d66b47ab75d3ea89fafb25437584ec3dc1cc009ab68fcfd2045f5c4dcc28619b4f8c9001d5abea03a01076069d4654f36e71698827135b56c3f2a1134
-
Filesize
234KB
MD5cc76b4c7330501be7405b8c6ba7e3f92
SHA1bc6a0647f9ed80b5e64e080c2e647075137047e7
SHA25645cebf3485321b2127ea938a9925f3f70ba37c369edefce03673d015735c1207
SHA512934608c14f52bfe7335861f0e65b2ff69e4bcf403138719c215b42a79f0d7af523ed6e9e076bac639f1a0ee5a7c7e21edbf72f6182b16e4d355b778278f45557
-
Filesize
234KB
MD5e7131db3760cd65e48b0f9e1b835fa5d
SHA1f4ee6fd8cd45e26323e859e77ba13c2f3d593029
SHA2562ca4f11544a04ce71cd48c9db0d0c18301a50b7d6897c17a5ac5d6c2b360ef5d
SHA51274beb04539aa299298e094d7aa61a09f7eb950a09d50d455e100351618b5909e67ee13200d0f821dc339aa4ce8c607fb5263c5013a76935e1513d845bce441ea
-
Filesize
264KB
MD5563416242050b0c8be619fb2a6e9efa7
SHA118836f4e99a61734f54a6f773e7ec4d94193e44c
SHA2569b64e5e12ac30dcb5d095ec8afd5e70950962ec0574d84a6202c7f8c7133d1b7
SHA5126d2daff70131b20f4e5866b48942a4ca93a3a0f0d20d9cc0a59d89c60fc56c353e663d0e02e80170ece783150bc139189b9454b59cbe508540fa317c051795db
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
3.0MB
MD547c5385bd4351bcc1ef5b3abc8646718
SHA13a224284bdc8536e08525e5258508bea49b7da28
SHA2568debf2bb0e3af08f2124f2700bf14da2b702d57b1e3c120888bb2b2726691d3d
SHA512ef19b57a849d57519796bd415fe8f1218485fd9df8a01d52c9a2e28d93df5988b40131a6bb2313e16e942606039eab4b392d8c3d4c569e23d7f4c48865ae1cf6
-
Filesize
1.2MB
MD5925e925abafc9011e3639e6751503563
SHA1a06367dafb7be553fa7bd10e226a97c60a02e1cc
SHA256383de7b96e7136bc00c2e5ea510aa6b92aff9c7d2d7ec9b00d7b938cacf9f9e1
SHA51290ef550fe9b2b4caa7dc71c9f2dc7c141405b463a8f9545fc805a7b949439c2011788cc2d7342e69f4a45352513e14a4498d2c1f3e7479bc6a694f8faf2c2772
-
Filesize
4.1MB
MD5565eafe6b1e3e278a166c0618d9c858c
SHA1b49fd657f0d8ca4b2aff93b1c20d0611a39b70af
SHA256c395b462f4dce8b59cf3fab55fafd1209b7b6a50e0c0ca5e79187eb68a6daba7
SHA512b2fb4511436731a476d0caea8321f4cb455fc7fc6d9753ac75eda13e549ff9ee451ab3564e0b46c9e4074a56dea73a285bfbd056e56468c21596905ead11faab
-
Filesize
36.5MB
MD5b8c03a9ea4e4887f9b2e7759850c44a7
SHA10b165e123a784277692855d7d5cbbf29cb83e1d1
SHA256cc44df9fac4c3dc0c8b6b25293c826222b7103a1d8b8539f536815bb36883ae2
SHA51223f6ada79daa0b506abd3fc50bec6b221ceec15cea497e67b60655db44be7957182daba86bd905f6dd83381ad668797af27e22dd1b9e798b3af665bfca9467b0
-
Filesize
45B
MD5ded655d231aff2ad8202cda27c449ded
SHA18a503ac7b87d5079185a45e4710d203a091840ca
SHA256d38d988706310212136008741578743d0a6c15306b1ba023528c02ad68c5d6d0
SHA512e4c9129cf89f8cc168e416bfae564edac4a36ab3a9f40ba0f5dd64816cae65352ea173a7bb4596c9170d80efd8996b84b8b0d2786ee5832230f6ea44635646b7
-
Filesize
222B
MD5d281845185677e76e311b88a97a99772
SHA1df1eafc47f9fd799a9f9c4c9165990df0ab93ebc
SHA2563bf926641ebc5f58c09a5b937520dbbb72c99e7104569f785374b107028d7228
SHA5123320b6402249a60b71156f18060831900cf52e093bbb5b2cf7e041bb8142e9182494345c4d054190be13f364566c599d95558c43740691be1b2c2e421a685567
-
Filesize
872KB
MD568c11f57958f8209d5eacc0150114228
SHA15ffa68521247fa7793683ab31d953772278c2f9c
SHA256a0af94bd0a09386417f6754caea14f6b53351ddc1d3c85fd3d0d782722602148
SHA512916a9647c003bfbcc47d6e93ca86cd3088bf1cad79328eda74fe040b8a375e57079e89eb958bd29066aa7970167279e1ee16055312b204257cf8996b076adbbe
-
Filesize
4.2MB
-
Filesize
40KB
-
Filesize
904KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.2MB