Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:36
Behavioral task
behavioral1
Sample
6386C6BC5C2E9E6EA345B370F67868B6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6386C6BC5C2E9E6EA345B370F67868B6.exe
Resource
win10v2004-20240508-en
General
-
Target
6386C6BC5C2E9E6EA345B370F67868B6.exe
-
Size
1.2MB
-
MD5
6386c6bc5c2e9e6ea345b370f67868b6
-
SHA1
534e13f301e9816d6df34ac36d31bfc1b03c1a39
-
SHA256
d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae
-
SHA512
85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd
-
SSDEEP
24576:/2G/nvxW3WxE37uuHjiOZmd3Oq+PaEzSJUmgvPgyGGsOfCGHsIIm:/bA3HLffCG7rs4Hsg
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeComcommon.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2768 schtasks.exe 1528 schtasks.exe 2588 schtasks.exe 380 schtasks.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\6cb0b6c459d5d3 Comcommon.exe 2624 schtasks.exe 2520 schtasks.exe 1544 schtasks.exe 1524 schtasks.exe 2260 schtasks.exe 2476 schtasks.exe 2820 schtasks.exe 940 schtasks.exe 2772 schtasks.exe 1548 schtasks.exe 1984 schtasks.exe 1636 schtasks.exe 2740 schtasks.exe 2960 schtasks.exe 2972 schtasks.exe 2996 schtasks.exe 1196 schtasks.exe 2288 schtasks.exe 1044 schtasks.exe 1976 schtasks.exe 2676 schtasks.exe 1824 schtasks.exe 536 schtasks.exe 2984 schtasks.exe 1176 schtasks.exe 2936 schtasks.exe 1832 schtasks.exe 1172 schtasks.exe 2908 schtasks.exe 796 schtasks.exe 2712 schtasks.exe 2748 schtasks.exe 2132 schtasks.exe 2128 schtasks.exe 2408 schtasks.exe 956 schtasks.exe 2044 schtasks.exe 780 schtasks.exe 1040 schtasks.exe 1452 schtasks.exe 2784 schtasks.exe 1356 schtasks.exe 1768 schtasks.exe File created C:\Windows\Setup\State\0a1fd5f707cd16 Comcommon.exe 408 schtasks.exe 2704 schtasks.exe 1132 schtasks.exe 1924 schtasks.exe 2924 schtasks.exe 1936 schtasks.exe 1404 schtasks.exe 2768 schtasks.exe 1916 schtasks.exe 2100 schtasks.exe 2016 schtasks.exe 1252 schtasks.exe 2472 schtasks.exe 1940 schtasks.exe 2256 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2568 schtasks.exe -
Processes:
resource yara_rule \portServercrt\Comcommon.exe dcrat behavioral1/memory/2656-13-0x0000000000DF0000-0x0000000000EF0000-memory.dmp dcrat behavioral1/memory/3052-51-0x0000000000160000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/1532-90-0x0000000000A00000-0x0000000000B00000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
Comcommon.exeComcommon.exeservices.exepid process 2656 Comcommon.exe 3052 Comcommon.exe 1532 services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2736 cmd.exe 2736 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io 17 ipinfo.io -
Drops file in Program Files directory 21 IoCs
Processes:
Comcommon.exeComcommon.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe Comcommon.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\6cb0b6c459d5d3 Comcommon.exe File created C:\Program Files\Microsoft Games\56085415360792 Comcommon.exe File created C:\Program Files\Windows Defender\en-US\1dd742f3bd626e Comcommon.exe File created C:\Program Files\Common Files\System\it-IT\WmiPrvSE.exe Comcommon.exe File created C:\Program Files (x86)\Uninstall Information\dwm.exe Comcommon.exe File created C:\Program Files (x86)\Uninstall Information\wininit.exe Comcommon.exe File created C:\Program Files (x86)\Uninstall Information\56085415360792 Comcommon.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe Comcommon.exe File created C:\Program Files\Windows Defender\en-US\Comcommon.exe Comcommon.exe File created C:\Program Files (x86)\Google\Update\7a0fd90576e088 Comcommon.exe File created C:\Program Files\Common Files\System\it-IT\24dbde2999530e Comcommon.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\dwm.exe Comcommon.exe File opened for modification C:\Program Files (x86)\Uninstall Information\wininit.exe Comcommon.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e Comcommon.exe File created C:\Program Files\Microsoft Games\wininit.exe Comcommon.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64 Comcommon.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc Comcommon.exe File created C:\Program Files (x86)\Google\Update\explorer.exe Comcommon.exe File created C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3 Comcommon.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe Comcommon.exe -
Drops file in Windows directory 6 IoCs
Processes:
Comcommon.exeComcommon.exedescription ioc process File created C:\Windows\de-DE\winlogon.exe Comcommon.exe File created C:\Windows\de-DE\cc11b995f2a76d Comcommon.exe File created C:\Windows\Setup\State\sppsvc.exe Comcommon.exe File created C:\Windows\Setup\State\0a1fd5f707cd16 Comcommon.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe Comcommon.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24 Comcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1616 schtasks.exe 2624 schtasks.exe 1044 schtasks.exe 1160 schtasks.exe 2704 schtasks.exe 2740 schtasks.exe 2044 schtasks.exe 2492 schtasks.exe 2768 schtasks.exe 1660 schtasks.exe 2972 schtasks.exe 380 schtasks.exe 2772 schtasks.exe 1924 schtasks.exe 536 schtasks.exe 1252 schtasks.exe 1452 schtasks.exe 2924 schtasks.exe 1976 schtasks.exe 956 schtasks.exe 2712 schtasks.exe 2936 schtasks.exe 2916 schtasks.exe 2528 schtasks.exe 2940 schtasks.exe 1040 schtasks.exe 732 schtasks.exe 1204 schtasks.exe 2820 schtasks.exe 2260 schtasks.exe 1132 schtasks.exe 1824 schtasks.exe 2476 schtasks.exe 2472 schtasks.exe 1984 schtasks.exe 1356 schtasks.exe 2132 schtasks.exe 1404 schtasks.exe 1600 schtasks.exe 2732 schtasks.exe 2840 schtasks.exe 2908 schtasks.exe 2256 schtasks.exe 2436 schtasks.exe 1524 schtasks.exe 2996 schtasks.exe 2100 schtasks.exe 2944 schtasks.exe 2408 schtasks.exe 796 schtasks.exe 1544 schtasks.exe 2676 schtasks.exe 1636 schtasks.exe 2960 schtasks.exe 1548 schtasks.exe 1196 schtasks.exe 940 schtasks.exe 2768 schtasks.exe 1464 schtasks.exe 780 schtasks.exe 2128 schtasks.exe 1916 schtasks.exe 2016 schtasks.exe 484 schtasks.exe -
Processes:
services.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 services.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 services.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C services.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
Comcommon.exeComcommon.exeservices.exepid process 2656 Comcommon.exe 2656 Comcommon.exe 2656 Comcommon.exe 2656 Comcommon.exe 2656 Comcommon.exe 2656 Comcommon.exe 2656 Comcommon.exe 3052 Comcommon.exe 3052 Comcommon.exe 3052 Comcommon.exe 3052 Comcommon.exe 3052 Comcommon.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe 1532 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
services.exepid process 1532 services.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Comcommon.exeComcommon.exeservices.exedescription pid process Token: SeDebugPrivilege 2656 Comcommon.exe Token: SeDebugPrivilege 3052 Comcommon.exe Token: SeDebugPrivilege 1532 services.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
6386C6BC5C2E9E6EA345B370F67868B6.exeWScript.execmd.exeComcommon.execmd.exeComcommon.exedescription pid process target process PID 1420 wrote to memory of 940 1420 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 1420 wrote to memory of 940 1420 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 1420 wrote to memory of 940 1420 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 1420 wrote to memory of 940 1420 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 940 wrote to memory of 2736 940 WScript.exe cmd.exe PID 940 wrote to memory of 2736 940 WScript.exe cmd.exe PID 940 wrote to memory of 2736 940 WScript.exe cmd.exe PID 940 wrote to memory of 2736 940 WScript.exe cmd.exe PID 2736 wrote to memory of 2656 2736 cmd.exe Comcommon.exe PID 2736 wrote to memory of 2656 2736 cmd.exe Comcommon.exe PID 2736 wrote to memory of 2656 2736 cmd.exe Comcommon.exe PID 2736 wrote to memory of 2656 2736 cmd.exe Comcommon.exe PID 2656 wrote to memory of 1428 2656 Comcommon.exe cmd.exe PID 2656 wrote to memory of 1428 2656 Comcommon.exe cmd.exe PID 2656 wrote to memory of 1428 2656 Comcommon.exe cmd.exe PID 1428 wrote to memory of 2404 1428 cmd.exe w32tm.exe PID 1428 wrote to memory of 2404 1428 cmd.exe w32tm.exe PID 1428 wrote to memory of 2404 1428 cmd.exe w32tm.exe PID 1428 wrote to memory of 3052 1428 cmd.exe Comcommon.exe PID 1428 wrote to memory of 3052 1428 cmd.exe Comcommon.exe PID 1428 wrote to memory of 3052 1428 cmd.exe Comcommon.exe PID 3052 wrote to memory of 1532 3052 Comcommon.exe services.exe PID 3052 wrote to memory of 1532 3052 Comcommon.exe services.exe PID 3052 wrote to memory of 1532 3052 Comcommon.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe"C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\portServercrt\Comcommon.exe"C:\portServercrt\Comcommon.exe"4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O9QAQD33qL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2404
-
C:\portServercrt\Comcommon.exe"C:\portServercrt\Comcommon.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\portServercrt\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Libraries\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\portServercrt\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\portServercrt\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\portServercrt\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\portServercrt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\portServercrt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\Comcommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Comcommon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\Comcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\Comcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f1⤵PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f1⤵
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f1⤵PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\it-IT\WmiPrvSE.exe'" /f1⤵
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\winlogon.exe'" /f1⤵PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\O9QAQD33qL.batFilesize
195B
MD5048a03689ccb90e9dfa110f7d74f67b2
SHA1e0b1927bf6abf73c950ffc98ca90ee8a1046f47c
SHA25687991f00cc6e088949c5e03a3f335535ed3806dcddf0c7b89ca4585de812c8f4
SHA51266de050a449fa9227c29524137a5004a49431772c3a0860a9910096db197636ce762667b52c7eb487d0dbd2c8bcc510c596d8e8db028e86dd5a193b98fd1db1c
-
C:\portServercrt\0a1fd5f707cd16Filesize
168B
MD52b479e6d22bc551d12a652e9348a7a65
SHA121aac8d2e8cf35e2feb40df95507477b3a65c7fc
SHA256d61a83d59a278fd45389541845246a3e555d46ac27eaf61f5741535a5872d5ca
SHA512aff46aa8c387cf318e59d7d61ef5b376d6e62d604bd8edbbef0fb9cd8061cbcb5cedfb9c642e1d25c543704bbf4f072e672e0d4f611830211de91f7b7dc012db
-
C:\portServercrt\886983d96e3d3eFilesize
948B
MD528780e2dd6f4d88c0026dadd33c44771
SHA1c2de16080fcf6993496ba3e10e486c1f0553828f
SHA25660b33053c6612aa398213ba4536cf080cac854edca99514a825a0e054a62d026
SHA512cfbafb21d565c0364e434c03d57b7394f6bfaf4a4cc5cdeab58b415050e71f08b879a2dd11fa8b979d9a50bc8caf7314076189932eb341305efa99c1da3cd2af
-
C:\portServercrt\DwNQE.vbeFilesize
203B
MD5588844585deebaa15919f153bc9447f0
SHA16e067e41f4abea125c891cf1672d9062d771d209
SHA2567070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1
SHA512dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d
-
C:\portServercrt\ZHAklq6LBoJU.batFilesize
32B
MD5db82c18bb79cfc990b4cde2874b61c10
SHA1183605f521813b881e1a5847e569b831232c0fd1
SHA256943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13
SHA5127cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471
-
\portServercrt\Comcommon.exeFilesize
997KB
MD51c3c6b206b20d18d049ed7586e330929
SHA1aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2
SHA256b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e
SHA512a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53
-
memory/1532-90-0x0000000000A00000-0x0000000000B00000-memory.dmpFilesize
1024KB
-
memory/2656-13-0x0000000000DF0000-0x0000000000EF0000-memory.dmpFilesize
1024KB
-
memory/2656-14-0x00000000001C0000-0x00000000001CE000-memory.dmpFilesize
56KB
-
memory/2656-15-0x00000000001D0000-0x00000000001DC000-memory.dmpFilesize
48KB
-
memory/2656-16-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/3052-51-0x0000000000160000-0x0000000000260000-memory.dmpFilesize
1024KB