Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
Resource
win10v2004-20240508-en
General
-
Target
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
-
Size
959KB
-
MD5
4d580c12dd002c7e9d0672cf7c0fef59
-
SHA1
b46c4eaeea368c01f3b6e89a7749dcb9719fcf11
-
SHA256
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc
-
SHA512
6a517c05bf3b3df6d66fbe026044456bc5ec9f643757a53705a869588c505fbb837fc763134b71bea390ca8f01f8b5fdda391ed5eb07829dcd8249027a6f99f0
-
SSDEEP
24576:7IY/8GC9t2/zdHKXMXvE/s5ZVKBdd0aZ7+B:7IQRllfE/oYh+B
Malware Config
Signatures
-
DcRat 63 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeCONFIG.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exee81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5096 schtasks.exe 1168 schtasks.exe 2704 schtasks.exe File created C:\Windows\Performance\e1ef82546f0b02 CONFIG.exe 4056 schtasks.exe 4520 schtasks.exe 3568 schtasks.exe File created C:\Program Files\Internet Explorer\images\7a0fd90576e088 CONFIG.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\5940a34987c991 CONFIG.exe 3028 schtasks.exe 4852 schtasks.exe 4560 schtasks.exe 4212 schtasks.exe 3552 schtasks.exe 2232 schtasks.exe 2188 schtasks.exe 752 schtasks.exe 4936 schtasks.exe 1256 schtasks.exe 1796 schtasks.exe File created C:\Program Files\Internet Explorer\56085415360792 CONFIG.exe 3252 schtasks.exe 888 schtasks.exe 5064 schtasks.exe 3596 schtasks.exe 3180 schtasks.exe 2184 schtasks.exe 3624 schtasks.exe 1364 schtasks.exe 872 schtasks.exe 3736 schtasks.exe 4772 schtasks.exe 380 schtasks.exe 4424 schtasks.exe 456 schtasks.exe 2388 schtasks.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 CONFIG.exe 976 schtasks.exe 1568 schtasks.exe 1464 schtasks.exe 2616 schtasks.exe 3628 schtasks.exe 4088 schtasks.exe 1348 schtasks.exe 748 schtasks.exe 2944 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe 916 schtasks.exe 4992 schtasks.exe 1312 schtasks.exe 1624 schtasks.exe 1100 schtasks.exe 4040 schtasks.exe 4144 schtasks.exe 1028 schtasks.exe 3604 schtasks.exe 948 schtasks.exe 3068 schtasks.exe 2088 schtasks.exe 4516 schtasks.exe 516 schtasks.exe 4272 schtasks.exe 4292 schtasks.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 1592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 1592 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\trx.exe dcrat C:\MSCONFIG\CONFIG.exe dcrat behavioral2/memory/696-39-0x0000000000540000-0x000000000066E000-memory.dmp dcrat -
Detects executables containing URLs to raw contents of a Github gist 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4652-25-0x0000000000FA0000-0x0000000000FAA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral2/memory/696-45-0x000000001B1C0000-0x000000001B1CC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
conhost.execonhost.execonhost.execonhost.exee81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exetrx.exeWScript.exeCONFIG.exeCONFIG.execonhost.execonhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation trx.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CONFIG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CONFIG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 11 IoCs
Processes:
SolaraBootstrapper.exetrx.exeCONFIG.exeCONFIG.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exepid process 4652 SolaraBootstrapper.exe 1436 trx.exe 696 CONFIG.exe 4380 CONFIG.exe 3832 conhost.exe 4344 conhost.exe 1312 conhost.exe 1672 conhost.exe 3384 conhost.exe 2248 conhost.exe 4784 conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 5 pastebin.com 11 pastebin.com 12 pastebin.com 13 pastebin.com 14 pastebin.com 15 pastebin.com -
Drops file in Program Files directory 11 IoCs
Processes:
CONFIG.exeCONFIG.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 CONFIG.exe File created C:\Program Files\Microsoft Office\root\wininit.exe CONFIG.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe CONFIG.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\5940a34987c991 CONFIG.exe File created C:\Program Files\Internet Explorer\wininit.exe CONFIG.exe File created C:\Program Files\Internet Explorer\56085415360792 CONFIG.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe CONFIG.exe File created C:\Program Files\Microsoft Office\root\56085415360792 CONFIG.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe CONFIG.exe File created C:\Program Files\Internet Explorer\images\explorer.exe CONFIG.exe File created C:\Program Files\Internet Explorer\images\7a0fd90576e088 CONFIG.exe -
Drops file in Windows directory 8 IoCs
Processes:
CONFIG.exeCONFIG.exedescription ioc process File created C:\Windows\Performance\e1ef82546f0b02 CONFIG.exe File created C:\Windows\Cursors\Registry.exe CONFIG.exe File created C:\Windows\Cursors\ee2ad38f3d4382 CONFIG.exe File created C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe CONFIG.exe File created C:\Windows\Sun\Java\Deployment\1143e5710f078d CONFIG.exe File created C:\Windows\tracing\dwm.exe CONFIG.exe File created C:\Windows\tracing\6cb0b6c459d5d3 CONFIG.exe File created C:\Windows\Performance\SppExtComObj.exe CONFIG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4272 4652 WerFault.exe SolaraBootstrapper.exe -
Modifies registry class 8 IoCs
Processes:
conhost.execonhost.exetrx.exeCONFIG.execonhost.execonhost.execonhost.execonhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings trx.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings CONFIG.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1464 schtasks.exe 4772 schtasks.exe 2088 schtasks.exe 4992 schtasks.exe 3568 schtasks.exe 3596 schtasks.exe 2184 schtasks.exe 4560 schtasks.exe 2944 schtasks.exe 4088 schtasks.exe 1168 schtasks.exe 948 schtasks.exe 4212 schtasks.exe 752 schtasks.exe 456 schtasks.exe 3028 schtasks.exe 1028 schtasks.exe 4520 schtasks.exe 516 schtasks.exe 3068 schtasks.exe 4936 schtasks.exe 4056 schtasks.exe 5064 schtasks.exe 3180 schtasks.exe 2616 schtasks.exe 748 schtasks.exe 4292 schtasks.exe 2704 schtasks.exe 4040 schtasks.exe 888 schtasks.exe 2188 schtasks.exe 1796 schtasks.exe 4516 schtasks.exe 4424 schtasks.exe 916 schtasks.exe 1100 schtasks.exe 1624 schtasks.exe 4852 schtasks.exe 3624 schtasks.exe 1348 schtasks.exe 5096 schtasks.exe 1256 schtasks.exe 2388 schtasks.exe 380 schtasks.exe 976 schtasks.exe 3552 schtasks.exe 4272 schtasks.exe 872 schtasks.exe 1568 schtasks.exe 3736 schtasks.exe 1312 schtasks.exe 1364 schtasks.exe 3604 schtasks.exe 3628 schtasks.exe 3252 schtasks.exe 4144 schtasks.exe 2232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
CONFIG.exeCONFIG.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exepid process 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 696 CONFIG.exe 4380 CONFIG.exe 4380 CONFIG.exe 4380 CONFIG.exe 4380 CONFIG.exe 4380 CONFIG.exe 3832 conhost.exe 4344 conhost.exe 1312 conhost.exe 1672 conhost.exe 3384 conhost.exe 2248 conhost.exe 4784 conhost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
SolaraBootstrapper.exeCONFIG.exeCONFIG.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exedescription pid process Token: SeDebugPrivilege 4652 SolaraBootstrapper.exe Token: SeDebugPrivilege 696 CONFIG.exe Token: SeDebugPrivilege 4380 CONFIG.exe Token: SeDebugPrivilege 3832 conhost.exe Token: SeDebugPrivilege 4344 conhost.exe Token: SeDebugPrivilege 1312 conhost.exe Token: SeDebugPrivilege 1672 conhost.exe Token: SeDebugPrivilege 3384 conhost.exe Token: SeDebugPrivilege 2248 conhost.exe Token: SeDebugPrivilege 4784 conhost.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exetrx.exeWScript.execmd.exeCONFIG.execmd.exeCONFIG.execonhost.execmd.execonhost.execmd.execonhost.execmd.execonhost.execmd.execonhost.execmd.execonhost.execmd.exedescription pid process target process PID 1416 wrote to memory of 4652 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1416 wrote to memory of 4652 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1416 wrote to memory of 4652 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe SolaraBootstrapper.exe PID 1416 wrote to memory of 1436 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1416 wrote to memory of 1436 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1416 wrote to memory of 1436 1416 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe trx.exe PID 1436 wrote to memory of 1384 1436 trx.exe WScript.exe PID 1436 wrote to memory of 1384 1436 trx.exe WScript.exe PID 1436 wrote to memory of 1384 1436 trx.exe WScript.exe PID 1384 wrote to memory of 2756 1384 WScript.exe cmd.exe PID 1384 wrote to memory of 2756 1384 WScript.exe cmd.exe PID 1384 wrote to memory of 2756 1384 WScript.exe cmd.exe PID 2756 wrote to memory of 696 2756 cmd.exe CONFIG.exe PID 2756 wrote to memory of 696 2756 cmd.exe CONFIG.exe PID 696 wrote to memory of 2784 696 CONFIG.exe cmd.exe PID 696 wrote to memory of 2784 696 CONFIG.exe cmd.exe PID 2784 wrote to memory of 1748 2784 cmd.exe w32tm.exe PID 2784 wrote to memory of 1748 2784 cmd.exe w32tm.exe PID 2784 wrote to memory of 4380 2784 cmd.exe CONFIG.exe PID 2784 wrote to memory of 4380 2784 cmd.exe CONFIG.exe PID 4380 wrote to memory of 3832 4380 CONFIG.exe conhost.exe PID 4380 wrote to memory of 3832 4380 CONFIG.exe conhost.exe PID 3832 wrote to memory of 3944 3832 conhost.exe cmd.exe PID 3832 wrote to memory of 3944 3832 conhost.exe cmd.exe PID 3944 wrote to memory of 2180 3944 cmd.exe w32tm.exe PID 3944 wrote to memory of 2180 3944 cmd.exe w32tm.exe PID 3944 wrote to memory of 4344 3944 cmd.exe conhost.exe PID 3944 wrote to memory of 4344 3944 cmd.exe conhost.exe PID 4344 wrote to memory of 5100 4344 conhost.exe cmd.exe PID 4344 wrote to memory of 5100 4344 conhost.exe cmd.exe PID 5100 wrote to memory of 1300 5100 cmd.exe w32tm.exe PID 5100 wrote to memory of 1300 5100 cmd.exe w32tm.exe PID 5100 wrote to memory of 1312 5100 cmd.exe conhost.exe PID 5100 wrote to memory of 1312 5100 cmd.exe conhost.exe PID 1312 wrote to memory of 2948 1312 conhost.exe cmd.exe PID 1312 wrote to memory of 2948 1312 conhost.exe cmd.exe PID 2948 wrote to memory of 1080 2948 cmd.exe w32tm.exe PID 2948 wrote to memory of 1080 2948 cmd.exe w32tm.exe PID 2948 wrote to memory of 1672 2948 cmd.exe conhost.exe PID 2948 wrote to memory of 1672 2948 cmd.exe conhost.exe PID 1672 wrote to memory of 3852 1672 conhost.exe cmd.exe PID 1672 wrote to memory of 3852 1672 conhost.exe cmd.exe PID 3852 wrote to memory of 4400 3852 cmd.exe w32tm.exe PID 3852 wrote to memory of 4400 3852 cmd.exe w32tm.exe PID 3852 wrote to memory of 3384 3852 cmd.exe conhost.exe PID 3852 wrote to memory of 3384 3852 cmd.exe conhost.exe PID 3384 wrote to memory of 1448 3384 conhost.exe cmd.exe PID 3384 wrote to memory of 1448 3384 conhost.exe cmd.exe PID 1448 wrote to memory of 3284 1448 cmd.exe w32tm.exe PID 1448 wrote to memory of 3284 1448 cmd.exe w32tm.exe PID 1448 wrote to memory of 2248 1448 cmd.exe conhost.exe PID 1448 wrote to memory of 2248 1448 cmd.exe conhost.exe PID 2248 wrote to memory of 4952 2248 conhost.exe cmd.exe PID 2248 wrote to memory of 4952 2248 conhost.exe cmd.exe PID 4952 wrote to memory of 1652 4952 cmd.exe w32tm.exe PID 4952 wrote to memory of 1652 4952 cmd.exe w32tm.exe PID 4952 wrote to memory of 4784 4952 cmd.exe conhost.exe PID 4952 wrote to memory of 4784 4952 cmd.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 14283⤵
- Program crash
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\trx.exe"C:\Users\Admin\AppData\Local\Temp\trx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\MSCONFIG\CONFIG.exe"C:\MSCONFIG\CONFIG.exe"5⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1748
-
C:\MSCONFIG\CONFIG.exe"C:\MSCONFIG\CONFIG.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2180
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1300
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1080
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4400
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3284
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1652
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\MSCONFIG\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 46521⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSCONFIG\0h6cj87wvPM.vbeFilesize
208B
MD5c82cc3c85bd84d0af9e997e0a4959cdd
SHA18ff246be20905b44b77082729819917245547013
SHA25653db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d
SHA51209c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9
-
C:\MSCONFIG\CONFIG.exeFilesize
1.1MB
MD55e14719cd7fbb360095ace17828a75b3
SHA172cd087ba89bef7546a5657b352b61f2ea31f492
SHA256095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561
SHA51220bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27
-
C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.batFilesize
24B
MD58ec84d1942903da3492f14e534a8e841
SHA1b152ff7373eac0aaef9c17637bde6cc754fe257a
SHA256a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d
SHA512bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CONFIG.exe.logFilesize
1KB
MD53dabc3a15559ada6586962e5d966af35
SHA1b9e7ebe34532596154354f7130acafe8654016ef
SHA25643f6fa295df0ae3976c919bdd314b17768768b6eb14514b2b3a3fe8e7e477c5b
SHA512e828eb2af6cb4551e3174cfe8fbcd3c7923ad71c8d6dbf33432223bb230561f8145fc894f457f6660266c2658166fca486c557337f1bafc1b9973d19959fa348
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
1KB
MD545b7b984ff65c4ed6e0e1eec9a7e1dbb
SHA1319c613685ba61edb0956fcb3301e659572e6255
SHA2565779e6406a1a1a3938bcc0dcc2eecbdea9a23ae203d9d9dc678b056315139b69
SHA512c8733ff26e452805c7791b1cd9a17913dafaf55567a6d8dea4bdd675aae5077d857b546878ab605101a2320e53621b9e07d2b0a51942ef14839891f2be581049
-
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.batFilesize
198B
MD5cf9cac864fe027e2390dc92c7e8bc1aa
SHA1e921abfc1c577037bdf8bb329b7eb90076c9c786
SHA25640a126dc0c1b85938738a36a0d5b64413b287b51ebeb372a812b5b733db31281
SHA5120a2f7f082d5b9db65744ed57a6f81f771bbb66abf4a123cfe893bee86a5c03519d2903bdd24a18d5c9c613f519ee30167f52daafd43e33400456c68c35ee4a05
-
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.batFilesize
198B
MD5703ca2a879f3908c96a2b6cd8f83997d
SHA1a69d052783f29f8b3e14434649f84b89c3086f1a
SHA256030eaea140b2c52ec25afb033cfb3b7c7dd284d643c571332236193dac59ba88
SHA51254cf6bd22ef84e16e15ee743a8cc906e49308a4b1dc37468223f4ebf7b32674f40ca66d15b9a71923fcc2518c99c6ca619019b271c7bda58b76e98dcfd1f2e6a
-
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.batFilesize
198B
MD51c38052fa1d92ac87d9f1cbdd4554fb4
SHA17eaf591d94cf7401dbbcc26934f0c8810feda7c7
SHA25606796c05a45c31d0e3204ddfe60d42a5b8e6504139ec54f55830aef446575d1d
SHA5125372e780d0e5a63d17df46e700638af4f0975863f12773f48e6aa2717bf710938b6680f65b06cd80568302a0d829c3f09f08c8557ad6171ede4eb619b324d52c
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exeFilesize
12KB
MD574494703e5f44eeb9aa037f0f50bf682
SHA1fcfd8813e63cd61c5bfd2db605827fb9070fe8e9
SHA2563e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66
SHA512dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe
-
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.batFilesize
198B
MD5033309c9fb0cb952e7e940828ab531f5
SHA1abb4358ba92106e641671c611153f3a3e944b458
SHA2566055914d2abbbce08f212f53dba273753e8eb5831912a1c26855e868a771cb66
SHA5123b97ef986596f4139215da7eca5cdf55f15d2e7b54afe2f36aed2382ce9f81f96bc3ee49738ccb9334f796b86ec5b918065ac806860f5c380e5fbd603d94b4e6
-
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.batFilesize
198B
MD588a2763bba4bd031f7db3857d0f3c78f
SHA1b54a5b883970e5dc493e87e58ed094fa3462744f
SHA256f8c9f64cad1ef11c48d0c19b0c75f5289b8286dcf4bd4d892a7adc478f016750
SHA51214bb52f3f25619e65bece77cb0f14a63aa2a560f536e8b302ef6051eda747769a58f42be7c72b4431297fe7a30e6e6aca13c55c2dccecdf8021e55f6dcfabb7f
-
C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.batFilesize
187B
MD576a5acdd11c8445c4fb43b8ab007d86f
SHA10b9d3d98c7132186ea2142410b8bafed012ed65d
SHA2565945ef32e06ce1d72e1290ffcaacd86ec45f4486554d4ea8d7efdcb3e1e0b8ff
SHA512c95b0ae33c220e24b8e97971b226addb4c5a7a988a6bafd4bca63ee14b3fc3ee2b460d7ea4a7238e6739cde61810817c07c67c53bde59d2cedad08a30a0ccfb1
-
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.batFilesize
198B
MD5cf6800bfb1c35205a8bc71d9d9bfa190
SHA122d56dd84ec4416c0461abb665d691d4510a53e5
SHA256ab63bd127bf496cbd967233a1bfd2cc3d516d99853567b069ded9becc8efe77d
SHA512e183da86e5ace5f29183a7d67dd2b35021c0ed8f691f68dfd8229333954077125f8397890e8aeaa782371efd5bd7c2043a17e15cfc8cee577d682551aad3a58f
-
C:\Users\Admin\AppData\Local\Temp\trx.exeFilesize
1.5MB
MD503cde07f808c1c15f2b413e89a45b9d8
SHA12e4f97f7f28024db39758472d484484dc3030c0b
SHA256daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f
SHA512d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18
-
memory/696-43-0x000000001B190000-0x000000001B1A2000-memory.dmpFilesize
72KB
-
memory/696-44-0x000000001C040000-0x000000001C568000-memory.dmpFilesize
5.2MB
-
memory/696-46-0x000000001B1D0000-0x000000001B1DC000-memory.dmpFilesize
48KB
-
memory/696-45-0x000000001B1C0000-0x000000001B1CC000-memory.dmpFilesize
48KB
-
memory/696-41-0x000000001B180000-0x000000001B18C000-memory.dmpFilesize
48KB
-
memory/696-40-0x0000000000E30000-0x0000000000E42000-memory.dmpFilesize
72KB
-
memory/696-42-0x0000000000E40000-0x0000000000E48000-memory.dmpFilesize
32KB
-
memory/696-39-0x0000000000540000-0x000000000066E000-memory.dmpFilesize
1.2MB
-
memory/1416-21-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/1416-1-0x0000000000EE0000-0x0000000000FD4000-memory.dmpFilesize
976KB
-
memory/1416-16-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3384-131-0x0000000002DE0000-0x0000000002DF2000-memory.dmpFilesize
72KB
-
memory/4380-76-0x0000000002660000-0x0000000002672000-memory.dmpFilesize
72KB
-
memory/4380-75-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/4652-24-0x0000000074CAE000-0x0000000074CAF000-memory.dmpFilesize
4KB
-
memory/4652-25-0x0000000000FA0000-0x0000000000FAA000-memory.dmpFilesize
40KB
-
memory/4652-26-0x0000000003320000-0x000000000332A000-memory.dmpFilesize
40KB