Analysis Overview
SHA256
5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
Threat Level: Known bad
The file 526153CBD86009228AD53CD262A9C6B3.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
DCRat payload
Dcrat family
DCRat payload
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 04:51
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 04:51
Reported
2024-05-16 04:53
Platform
win7-20240508-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\es\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\System32\es\42af1c969fbb7b | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\en-US\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\csrss.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\explorer.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\services.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\it-IT\lsass.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\it-IT\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\it-IT\42af1c969fbb7b | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\security\database\Idle.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\security\database\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\servicing\System.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\it-IT\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe
"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\es\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\es\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\es\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\database\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\database\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\database\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H6YNKoNS9r.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e8c74d4-a5ed-42d9-a1d3-ecaa7287adf0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ce340bf-9d5b-42a4-8fe3-251aebebd64b.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aery-messages.000webhostapp.com | udp |
| US | 145.14.145.225:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.145.225:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.145.225:80 | aery-messages.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | aery-messages.000webhostapp.com | udp |
| US | 145.14.144.97:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.144.97:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.144.97:80 | aery-messages.000webhostapp.com | tcp |
Files
memory/1868-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp
memory/1868-1-0x00000000001E0000-0x0000000000456000-memory.dmp
memory/1868-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp
memory/1868-3-0x0000000000140000-0x000000000015C000-memory.dmp
memory/1868-4-0x0000000000160000-0x0000000000168000-memory.dmp
memory/1868-5-0x0000000000180000-0x0000000000196000-memory.dmp
memory/1868-6-0x0000000002220000-0x0000000002276000-memory.dmp
memory/1868-7-0x00000000001A0000-0x00000000001AC000-memory.dmp
memory/1868-8-0x00000000001B0000-0x00000000001C2000-memory.dmp
memory/1868-9-0x0000000000460000-0x0000000000468000-memory.dmp
memory/1868-10-0x0000000000470000-0x000000000047A000-memory.dmp
memory/1868-11-0x0000000000480000-0x000000000048E000-memory.dmp
memory/1868-12-0x0000000000490000-0x000000000049C000-memory.dmp
C:\Program Files\Windows Sidebar\it-IT\lsass.exe
| MD5 | 526153cbd86009228ad53cd262a9c6b3 |
| SHA1 | 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2 |
| SHA256 | 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48 |
| SHA512 | 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665 |
C:\Users\Admin\AppData\Local\Temp\H6YNKoNS9r.bat
| MD5 | a371de180c054baca52bd08db4bd087c |
| SHA1 | 7a96be45c846b11facc23c24fbd60a305608bd53 |
| SHA256 | a81447731aa8081f824f65c84a20c27f48dfbf4dd47e2b5d12f5b393c4a819c5 |
| SHA512 | 69843ed38defa592297f7318aa5d8c238591f955c4e30ff7d0c57e80d43c2f9352228a77d3b7110daeff64f590180fc58e17fd1de2a2acdf165db93da1341b4e |
memory/1868-56-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp
memory/2712-59-0x00000000008D0000-0x0000000000B46000-memory.dmp
memory/2712-60-0x0000000000590000-0x00000000005A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5e8c74d4-a5ed-42d9-a1d3-ecaa7287adf0.vbs
| MD5 | 341a9599befc7b2c0a4f81d425d1da29 |
| SHA1 | eaf81be0f773bc36685b573877ea6d1ca1dd2684 |
| SHA256 | 7fc1c13bf58e5f7e4be4c0dc266e44b87a7dc658d85cc2fd3132715a7763cc1e |
| SHA512 | cd8622c90629e8d09db9b3638faebdd0e18c34e71c43bac09395ed09bee1ae8434a5d92edf92afd19a3a0d67755306c99c2db2dd2f7200b4da7a44a6985fa01d |
C:\Users\Admin\AppData\Local\Temp\2ce340bf-9d5b-42a4-8fe3-251aebebd64b.vbs
| MD5 | a185c42cd56f89a902a7308dec75a0b4 |
| SHA1 | 78a109b4f8454be5b5b0724f84a3589d65870a75 |
| SHA256 | 9bc9cecb9de2dd74467f249aab427145b4eef0be53a881685f1c10106ef0023c |
| SHA512 | 5dcbcecff9112ad7361c1674d8bfe89218ff0bef40988d7d6c817376e9ef9fd03612a747b8a47293b418acd76584ba8bf6cbe3f620915a574041c264bb02b208 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 04:51
Reported
2024-05-16 04:53
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Public\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\ea1d8f6d871115 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\lsass.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\DiagTrack\lsass.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\DiagTrack\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\PLA\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| File created | C:\Windows\PLA\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Users\Public\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | C:\Users\Public\dllhost.exe |
| PID 2032 wrote to memory of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe | C:\Users\Public\dllhost.exe |
| PID 2160 wrote to memory of 3284 | N/A | C:\Users\Public\dllhost.exe | C:\Windows\System32\WScript.exe |
| PID 2160 wrote to memory of 3284 | N/A | C:\Users\Public\dllhost.exe | C:\Windows\System32\WScript.exe |
| PID 2160 wrote to memory of 1288 | N/A | C:\Users\Public\dllhost.exe | C:\Windows\System32\WScript.exe |
| PID 2160 wrote to memory of 1288 | N/A | C:\Users\Public\dllhost.exe | C:\Windows\System32\WScript.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe
"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Users\Public\dllhost.exe
"C:\Users\Public\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aery-messages.000webhostapp.com | udp |
| US | 145.14.144.88:80 | aery-messages.000webhostapp.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 145.14.144.88:80 | aery-messages.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 145.14.144.88:80 | aery-messages.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | aery-messages.000webhostapp.com | udp |
| US | 145.14.144.104:80 | aery-messages.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 104.144.14.145.in-addr.arpa | udp |
| US | 145.14.144.104:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.144.104:80 | aery-messages.000webhostapp.com | tcp |
| US | 145.14.144.104:80 | aery-messages.000webhostapp.com | tcp |
Files
memory/2032-0-0x00007FFB32EF3000-0x00007FFB32EF5000-memory.dmp
memory/2032-1-0x0000000000190000-0x0000000000406000-memory.dmp
memory/2032-2-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp
memory/2032-3-0x0000000000AD0000-0x0000000000AEC000-memory.dmp
memory/2032-4-0x00000000026F0000-0x0000000002740000-memory.dmp
memory/2032-7-0x0000000002570000-0x00000000025C6000-memory.dmp
memory/2032-6-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2032-5-0x0000000000B50000-0x0000000000B58000-memory.dmp
memory/2032-8-0x00000000025C0000-0x00000000025CC000-memory.dmp
memory/2032-9-0x00000000025D0000-0x00000000025E2000-memory.dmp
memory/2032-10-0x000000001C0E0000-0x000000001C608000-memory.dmp
memory/2032-11-0x0000000002760000-0x0000000002768000-memory.dmp
memory/2032-13-0x000000001B160000-0x000000001B16E000-memory.dmp
memory/2032-14-0x000000001B170000-0x000000001B17C000-memory.dmp
memory/2032-12-0x000000001B150000-0x000000001B15A000-memory.dmp
C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe
| MD5 | 526153cbd86009228ad53cd262a9c6b3 |
| SHA1 | 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2 |
| SHA256 | 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48 |
| SHA512 | 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665 |
memory/2032-44-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp
memory/2160-45-0x000000001B840000-0x000000001B852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs
| MD5 | 8639b865a655e634a8ac101667ca27f2 |
| SHA1 | 9b956668bce1e13694f12a0ae4c99aac461449a9 |
| SHA256 | 945c11447fa6dd6f1cfb903039a40d954427359e522ed38e28d189bd60e13736 |
| SHA512 | 883e60e8295a07b7734a3408ecd2dfb568a79d9450cc85868dc9596257db4db87ceec12900b127e1cfdb2fcf8663a5a64eba235653e8f1be75362da9c90be044 |
C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs
| MD5 | 2ebedb5c507ba00c6edd4888940e2a8b |
| SHA1 | 16cda38cfff9e043c17b086efd82db85b3eeb25e |
| SHA256 | 0b5b8bce363126144965824542c5de8c5024e6c728c3c163842bb0313e7d94bf |
| SHA512 | fbd9efad128ee5dd8ef62cf0425a2726c709bbf4005711c114d8bdc6e7590da64aa80d546426a61c88c533728cef53598745bb1114cbb937f937db1c873db4be |