dcrat | cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extreme injector.exe
Size

3.8MB
MD5

23de5c2c4de1af322b48d8fb54f52082
SHA1

bace8711338a1c79605866759fadd2c7adbb2630
SHA256

cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
SHA512

3c592202fda82055fb2ae73bd00dc7c8bbe075b85830469eb81f8605ff34ac62023c2c3c8669bd67bb9622a407a93a047a8d8995fbad324c443bf58422d09ae2
SSDEEP

98304:jdkCCK3XXQO18VeWtC7ZoAxFoHzL2SUKaMDmI:jdkCCKnXt1l7ZzSUKawmI

Score

10^/10

dcrat defense_evasion discovery execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 57 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2980	schtasks.exe
		4824	schtasks.exe
		3324	schtasks.exe
		2376	schtasks.exe
		2956	schtasks.exe
		3564	schtasks.exe
		684	schtasks.exe
		904	schtasks.exe
		2272	schtasks.exe
		2044	schtasks.exe
		1444	schtasks.exe
		4408	powershell.exe
		3172	schtasks.exe
		2736	schtasks.exe
		3152	schtasks.exe
		1824	schtasks.exe
		5004	schtasks.exe
		3520	schtasks.exe
		3256	schtasks.exe
		1456	schtasks.exe
		1164	schtasks.exe
		4452	schtasks.exe
		3288	schtasks.exe
		612	schtasks.exe
		3840	schtasks.exe
		4504	schtasks.exe
		2004	schtasks.exe
		3844	schtasks.exe
		3396	schtasks.exe
		424	schtasks.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088		Componentmonitor.exe
		1680	schtasks.exe
		3676	schtasks.exe
		4984	schtasks.exe
		4544	schtasks.exe
		2072	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Injector = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Injector.exe"		Extreme injector.exe
		5108	schtasks.exe
		4648	schtasks.exe
		4408	schtasks.exe
		4328	schtasks.exe
		2400	schtasks.exe
		2620	schtasks.exe
		4444	schtasks.exe
		4192	schtasks.exe
		3908	schtasks.exe
		2936	schtasks.exe
		3104	schtasks.exe
		4948	schtasks.exe
		4736	schtasks.exe
		1040	schtasks.exe
		3916	schtasks.exe
		3164	schtasks.exe
		4356	schtasks.exe
		4208	schtasks.exe
		4080	schtasks.exe
		3384	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1812	schtasks.exe	90

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023c94-36.dat	dcrat
behavioral2/files/0x0007000000023c99-55.dat	dcrat
behavioral2/memory/2876-58-0x00000000002E0000-0x0000000000594000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cef-140.dat	dcrat
behavioral2/files/0x0008000000023cb5-200.dat	dcrat
behavioral2/files/0x000a000000023cb9-221.dat	dcrat
behavioral2/files/0x0009000000023cbf-224.dat	dcrat
behavioral2/files/0x000e000000023cbf-290.dat	dcrat
behavioral2/memory/2304-385-0x0000000000F70000-0x0000000001224000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4408	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Extreme injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Componentmonitor.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	Extreme Injector v3.exe
424	Injector.exe
2876	Componentmonitor.exe
2304	SearchApp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Injector = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Injector.exe"	Extreme injector.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Componentmonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\6ccacd8608530f	Componentmonitor.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	Componentmonitor.exe
File created	C:\Program Files\Windows Media Player\Icons\sppsvc.exe	Componentmonitor.exe
File created	C:\Program Files\Windows NT\SearchApp.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXE0FE.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXF812.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\wininit.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\RCXEA9C.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\Windows NT\RCX7D1.tmp	Componentmonitor.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\wininit.exe	Componentmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Componentmonitor.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Adobe\Idle.exe	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXF4.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files\Windows NT\RCX7D0.tmp	Componentmonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\5b884080fd4f94	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXFA28.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX181.tmp	Componentmonitor.exe
File created	C:\Program Files (x86)\Common Files\Java\Componentmonitor.exe	Componentmonitor.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	Componentmonitor.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\56085415360792	Componentmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\22eafd247d37c3	Componentmonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXF03D.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe	Componentmonitor.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe	Componentmonitor.exe
File created	C:\Program Files (x86)\Adobe\6ccacd8608530f	Componentmonitor.exe
File created	C:\Program Files\Windows NT\38384e6a620884	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXEFA0.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXF813.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dllhost.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\Windows NT\SearchApp.exe	Componentmonitor.exe
File created	C:\Program Files (x86)\Common Files\Java\cce1a2ef02be31	Componentmonitor.exe
File created	C:\Program Files (x86)\Adobe\Idle.exe	Componentmonitor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXE10E.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\RCXE547.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\RCXE5C5.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\RCXEA8B.tmp	Componentmonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXFA27.tmp	Componentmonitor.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\explorer.exe	Componentmonitor.exe
File opened for modification	C:\Windows\L2Schemas\explorer.exe	Componentmonitor.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088	Componentmonitor.exe
File created	C:\Windows\bcastdvr\f3b6ecef712a24	Componentmonitor.exe
File opened for modification	C:\Windows\bcastdvr\RCXFEE0.tmp	Componentmonitor.exe
File created	C:\Windows\bcastdvr\spoolsv.exe	Componentmonitor.exe
File opened for modification	C:\Windows\L2Schemas\RCXDEF9.tmp	Componentmonitor.exe
File opened for modification	C:\Windows\bcastdvr\RCXFECF.tmp	Componentmonitor.exe
File created	C:\Windows\CbsTemp\taskhostw.exe	Componentmonitor.exe
File created	C:\Windows\CbsTemp\ea9f0e6c9e2dcd	Componentmonitor.exe
File opened for modification	C:\Windows\bcastdvr\spoolsv.exe	Componentmonitor.exe
File opened for modification	C:\Windows\CbsTemp\RCX396.tmp	Componentmonitor.exe
File opened for modification	C:\Windows\L2Schemas\RCXDEAA.tmp	Componentmonitor.exe
File opened for modification	C:\Windows\CbsTemp\RCX3A6.tmp	Componentmonitor.exe
File opened for modification	C:\Windows\CbsTemp\taskhostw.exe	Componentmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Injector.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Componentmonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3256	schtasks.exe
612	schtasks.exe
3840	schtasks.exe
2620	schtasks.exe
2956	schtasks.exe
4356	schtasks.exe
4948	schtasks.exe
5108	schtasks.exe
3324	schtasks.exe
3152	schtasks.exe
4736	schtasks.exe
2980	schtasks.exe
4408	schtasks.exe
1040	schtasks.exe
3916	schtasks.exe
3396	schtasks.exe
2044	schtasks.exe
2004	schtasks.exe
4452	schtasks.exe
2736	schtasks.exe
4504	schtasks.exe
4328	schtasks.exe
3384	schtasks.exe
1164	schtasks.exe
4080	schtasks.exe
3564	schtasks.exe
3104	schtasks.exe
4824	schtasks.exe
904	schtasks.exe
2272	schtasks.exe
684	schtasks.exe
1444	schtasks.exe
2936	schtasks.exe
1680	schtasks.exe
3676	schtasks.exe
2376	schtasks.exe
3520	schtasks.exe
4192	schtasks.exe
424	schtasks.exe
4984	schtasks.exe
4444	schtasks.exe
3288	schtasks.exe
4544	schtasks.exe
1456	schtasks.exe
3172	schtasks.exe
3908	schtasks.exe
1824	schtasks.exe
3164	schtasks.exe
2400	schtasks.exe
2072	schtasks.exe
4208	schtasks.exe
5004	schtasks.exe
3844	schtasks.exe
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4408	powershell.exe
4408	powershell.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2876	Componentmonitor.exe
2304	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: SeDebugPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: SeDebugPrivilege	2876	Componentmonitor.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: SeDebugPrivilege	2304	SearchApp.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2152	Extreme Injector v3.exe
Token: 33	2152	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2152	3652	Extreme injector.exe	82
PID 3652 wrote to memory of 2152	3652	Extreme injector.exe	82
PID 3652 wrote to memory of 4408	3652	Extreme injector.exe	83
PID 3652 wrote to memory of 4408	3652	Extreme injector.exe	83
PID 3652 wrote to memory of 424	3652	Extreme injector.exe	85
PID 3652 wrote to memory of 424	3652	Extreme injector.exe	85
PID 3652 wrote to memory of 424	3652	Extreme injector.exe	85
PID 424 wrote to memory of 524	424	Injector.exe	86
PID 424 wrote to memory of 524	424	Injector.exe	86
PID 424 wrote to memory of 524	424	Injector.exe	86
PID 524 wrote to memory of 2368	524	WScript.exe	92
PID 524 wrote to memory of 2368	524	WScript.exe	92
PID 524 wrote to memory of 2368	524	WScript.exe	92
PID 2368 wrote to memory of 2876	2368	cmd.exe	94
PID 2368 wrote to memory of 2876	2368	cmd.exe	94
PID 2876 wrote to memory of 2304	2876	Componentmonitor.exe	151
PID 2876 wrote to memory of 2304	2876	Componentmonitor.exe	151

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Componentmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Extreme injector.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme injector.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
  2⤵
  - DcRat
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChaincomponentWebCrt\TyN1beQAOk.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChaincomponentWebCrt\MPvPPnEP8ql73Oq.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\ChaincomponentWebCrt\Componentmonitor.exe
        
        "C:\ChaincomponentWebCrt\Componentmonitor.exe"
        5⤵
        DcRat
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2876
      - C:\Program Files\Windows NT\SearchApp.exe
        
        "C:\Program Files\Windows NT\SearchApp.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentmonitorC" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\Componentmonitor.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Componentmonitor" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Componentmonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComponentmonitorC" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\Componentmonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\ChaincomponentWebCrt\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\ChaincomponentWebCrt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\ChaincomponentWebCrt\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\ChaincomponentWebCrt\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\ChaincomponentWebCrt\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\ChaincomponentWebCrt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\CbsTemp\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3E" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Extreme Injector v3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3" /sc ONLOGON /tr "'C:\Users\Default User\Extreme Injector v3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3E" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Extreme Injector v3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChaincomponentWebCrt\Componentmonitor.exe

Filesize
2.7MB

MD5
15745dcd5fc0fcfea4f0f0b1eaf81ad6

SHA1
258fc8e175f596d59139f0588368f74c3ef65150

SHA256
015cc3f392cb4c3b3d705a3edef3ed94031e8cd6b2d4a80b4123ce60319f1ce1

SHA512
41651c352fb29ce7242929f6314eed8111fbcb5e12f5b7a7ca826c8e3a6a401844ab09b454b33ed40f429a50861623af22d28c940f90d12a7225c90fb4ead021

Download Submit
C:\ChaincomponentWebCrt\MPvPPnEP8ql73Oq.bat

Filesize
46B

MD5
12c9bbff6c5b9ccf2998ead53eb4a7a1

SHA1
2bfc95bf289ee50b43e4441a7b1addaa643d605c

SHA256
09fd9ed68963fa1404292b9fa84d51b57cd3bfffc73808dc20a1807947bd70f8

SHA512
c02d02a3d8f5cbf9b28047001dc130b63e63c67b97578d4c675a2c58615c7a7b803a8ce76218a2c10b7c5e5c6d541d0e2571566719c6ce27ca66a9b42cddaa93

Download Submit
C:\ChaincomponentWebCrt\RCXF551.tmp

Filesize
2.7MB

MD5
0be35a770c5f941c5eb72864fe5b24c1

SHA1
f4d44231b4aa598ad76bb6c1d615bf7ec1170c29

SHA256
f3a9987e92ed2fef8311904344524588d23dd5a253c2b7611f7757a646998344

SHA512
688bebd78819dcc21ba6f056fbbd5944487c37f7fc02efa744ba76602eeddd1d23a5bccee20b59e559896a65401198f9958af576bf3e734d6a6b4ce4b216bbfc

Download Submit
C:\ChaincomponentWebCrt\TyN1beQAOk.vbe

Filesize
212B

MD5
ddbf10d9165a769a6d20fcd2e118bd0d

SHA1
7b872ed9f4f48bdb2b2de5cc3406d39135e5ba82

SHA256
69a84572c197b52b3beb9ec67145c4c1d198936bcc5846a1439da09015790401

SHA512
9c5b2bb9e9abe544bd05ded6aa4c23732b0afee6f95853255a67dcbfa6cc228b850bb273576e0988e37db04c0a854e7b8be648d967a13e4fac705b7e20803e02

Download Submit
C:\ChaincomponentWebCrt\fontdrvhost.exe

Filesize
2.7MB

MD5
d0ea5f4ff5dac46cc819a16d89395662

SHA1
60b4e5fe7e2803e189c66609ca6b636b04e7b0cf

SHA256
8e4b31f0e41b558e837a96e342e0f964087cb252729b1924204f30589fc5a951

SHA512
4fa8725ec6f80032371240d4b6cea12173f5444891d1bbac6af116c5e8fc278f4f5e8da3410a220e47451a365e10949e3c900ecb69872559bf5e565688a012c4

Download Submit
C:\ChaincomponentWebCrt\sysmon.exe

Filesize
2.7MB

MD5
b4f07da68583e209bc79e99a0946cb97

SHA1
e29bd6c6fd564a2f617c35462cabba21d1f975db

SHA256
76251c99b7db70598873007432f24a7039094b8b0c5bfebe9e6ea13eeea518df

SHA512
609ffc390f75ca6ec73937a952600559c73b0fbf85992358afb8dffd720a77c3e7e35b90eff195c264a9dd3cf28e7968c3781091d0d2bb05784769fa1cfeaab2

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe

Filesize
2.7MB

MD5
b6926173394a71858e35acdb0f7d2b6e

SHA1
e792c44d43fdeb7dae261065044f1fe412500e9e

SHA256
0f31f038566b998332f7096a42d2f4817a4c78f77e8bbe1a93dfb0728d667057

SHA512
d31b526c3a246e6e7c207e27feaa298827ecc31f1059551da1195dd628653509ae72e1652788595b294fe4c8c1846e30d771b1df75634c00c7345886bad3ccf7

Download Submit
C:\Program Files\VideoLAN\VLC\hrtfs\RCXE10E.tmp

Filesize
2.7MB

MD5
87006d66e8d6786aaa070a7095400645

SHA1
68a3e6d9d811caa515e18d62e355ac2903505afe

SHA256
cf8eebc2deace46b589143dee2f6ab6395304029fbe864093e6870949651e608

SHA512
f2c2e8c03b74e8cc1f2fe2938bab4f5cde23f0f7f8290bb509615085fb1f35baef8c3c47f726a8b22f5f44c6828bfce9ba7f64923715a8df28df999de702effd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.0MB

MD5
cdc73a31577a496fc31045ab14c36068

SHA1
a3f346391fd71d9c38b750ef843d33c9a05385a9

SHA256
b5bc765bb2a46b9a737ea217cf2a12e50d0b56d27c42a78af873bb970b18fcd3

SHA512
9f7b901ecce8d46ab2b4afe0f901d7ce0a52f5d34642f0d21d91c0cc54709ab958c1445a6b58cb3328c87d104fd65bd4b09446456aefd0d9a875e5fe0ff6f687

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq2largp.cbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2152-15-0x00000000000F0000-0x00000000002D6000-memory.dmp

Filesize
1.9MB

Download
memory/2152-28-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/2152-37-0x000000001B290000-0x000000001B2A2000-memory.dmp

Filesize
72KB

Download
memory/2152-38-0x000000001D780000-0x000000001D7BC000-memory.dmp

Filesize
240KB

Download
memory/2152-59-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/2152-14-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/2152-53-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/2304-385-0x0000000000F70000-0x0000000001224000-memory.dmp

Filesize
2.7MB

Download
memory/2304-386-0x000000001C570000-0x000000001C582000-memory.dmp

Filesize
72KB

Download
memory/2876-62-0x0000000002840000-0x0000000002890000-memory.dmp

Filesize
320KB

Download
memory/2876-71-0x000000001BE90000-0x000000001C3B8000-memory.dmp

Filesize
5.2MB

Download
memory/2876-60-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2876-61-0x0000000000E10000-0x0000000000E2C000-memory.dmp

Filesize
112KB

Download
memory/2876-78-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/2876-63-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/2876-66-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2876-67-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/2876-65-0x0000000000E50000-0x0000000000E66000-memory.dmp

Filesize
88KB

Download
memory/2876-64-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/2876-68-0x0000000002890000-0x00000000028E6000-memory.dmp

Filesize
344KB

Download
memory/2876-69-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2876-70-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2876-58-0x00000000002E0000-0x0000000000594000-memory.dmp

Filesize
2.7MB

Download
memory/2876-74-0x000000001B330000-0x000000001B33C000-memory.dmp

Filesize
48KB

Download
memory/2876-73-0x000000001B320000-0x000000001B328000-memory.dmp

Filesize
32KB

Download
memory/2876-72-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2876-76-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/2876-75-0x000000001B340000-0x000000001B34E000-memory.dmp

Filesize
56KB

Download
memory/2876-77-0x000000001B970000-0x000000001B97A000-memory.dmp

Filesize
40KB

Download
memory/3652-0-0x00007FF9DB8B3000-0x00007FF9DB8B5000-memory.dmp

Filesize
8KB

Download
memory/3652-43-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/3652-3-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/3652-1-0x0000000000D60000-0x000000000112A000-memory.dmp

Filesize
3.8MB

Download
memory/4408-31-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/4408-24-0x0000026FEE860000-0x0000026FEE882000-memory.dmp

Filesize
136KB

Download
memory/4408-17-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/4408-16-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download