Analysis Overview
SHA256
e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc
Threat Level: Known bad
The file e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Detects executables containing URLs to raw contents of a Github gist
Detects executables packed with SmartAssembly
DCRat payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 04:52
Reported
2024-06-21 04:54
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trx.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\plugin2\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\886983d96e3d3e | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\taskhost.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\b75386f1303e64 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\plugin2\csrss.exe | C:\MSCONFIG\CONFIG.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\plugin2\csrss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Java\jre7\bin\plugin2\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\trx.exe
"C:\Users\Admin\AppData\Local\Temp\trx.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1092
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "
C:\MSCONFIG\CONFIG.exe
"C:\MSCONFIG\CONFIG.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
C:\Program Files\Java\jre7\bin\plugin2\csrss.exe
"C:\Program Files\Java\jre7\bin\plugin2\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | a0997184.xsph.ru | udp |
| RU | 141.8.192.103:80 | a0997184.xsph.ru | tcp |
Files
memory/1284-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp
memory/1284-1-0x000000013FF80000-0x0000000140074000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 74494703e5f44eeb9aa037f0f50bf682 |
| SHA1 | fcfd8813e63cd61c5bfd2db605827fb9070fe8e9 |
| SHA256 | 3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66 |
| SHA512 | dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe |
C:\Users\Admin\AppData\Local\Temp\trx.exe
| MD5 | 03cde07f808c1c15f2b413e89a45b9d8 |
| SHA1 | 2e4f97f7f28024db39758472d484484dc3030c0b |
| SHA256 | daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f |
| SHA512 | d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18 |
memory/2164-14-0x000000007452E000-0x000000007452F000-memory.dmp
memory/1284-13-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
memory/2164-16-0x00000000012E0000-0x00000000012EA000-memory.dmp
C:\MSCONFIG\0h6cj87wvPM.vbe
| MD5 | c82cc3c85bd84d0af9e997e0a4959cdd |
| SHA1 | 8ff246be20905b44b77082729819917245547013 |
| SHA256 | 53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d |
| SHA512 | 09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9 |
C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat
| MD5 | 8ec84d1942903da3492f14e534a8e841 |
| SHA1 | b152ff7373eac0aaef9c17637bde6cc754fe257a |
| SHA256 | a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d |
| SHA512 | bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076 |
\MSCONFIG\CONFIG.exe
| MD5 | 5e14719cd7fbb360095ace17828a75b3 |
| SHA1 | 72cd087ba89bef7546a5657b352b61f2ea31f492 |
| SHA256 | 095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561 |
| SHA512 | 20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27 |
memory/2628-35-0x0000000000E90000-0x0000000000FBE000-memory.dmp
memory/2628-36-0x00000000003D0000-0x00000000003E2000-memory.dmp
memory/2628-37-0x0000000000B10000-0x0000000000B1C000-memory.dmp
memory/2628-38-0x0000000000460000-0x0000000000468000-memory.dmp
memory/2628-39-0x0000000000B00000-0x0000000000B12000-memory.dmp
memory/2628-40-0x0000000000B40000-0x0000000000B4C000-memory.dmp
memory/2628-41-0x0000000000B50000-0x0000000000B5C000-memory.dmp
memory/2916-58-0x00000000003A0000-0x00000000004CE000-memory.dmp
memory/2916-59-0x00000000005E0000-0x00000000005F2000-memory.dmp
memory/2916-60-0x0000000000800000-0x0000000000812000-memory.dmp
memory/2164-61-0x000000007452E000-0x000000007452F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 04:52
Reported
2024-06-21 04:54
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\MSCONFIG\CONFIG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\MSCONFIG\CONFIG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trx.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\wininit.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\5940a34987c991 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Internet Explorer\wininit.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Internet Explorer\56085415360792 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\56085415360792 | C:\MSCONFIG\CONFIG.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Internet Explorer\images\explorer.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Program Files\Internet Explorer\images\7a0fd90576e088 | C:\MSCONFIG\CONFIG.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Performance\e1ef82546f0b02 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\Cursors\Registry.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\Cursors\ee2ad38f3d4382 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\Sun\Java\Deployment\1143e5710f078d | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\tracing\dwm.exe | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\tracing\6cb0b6c459d5d3 | C:\MSCONFIG\CONFIG.exe | N/A |
| File created | C:\Windows\Performance\SppExtComObj.exe | C:\MSCONFIG\CONFIG.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\trx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\MSCONFIG\CONFIG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSCONFIG\CONFIG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\trx.exe
"C:\Users\Admin\AppData\Local\Temp\trx.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "
C:\MSCONFIG\CONFIG.exe
"C:\MSCONFIG\CONFIG.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\MSCONFIG\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSCONFIG\CONFIG.exe
"C:\MSCONFIG\CONFIG.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1428
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
Files
memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp
memory/1416-1-0x0000000000EE0000-0x0000000000FD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 74494703e5f44eeb9aa037f0f50bf682 |
| SHA1 | fcfd8813e63cd61c5bfd2db605827fb9070fe8e9 |
| SHA256 | 3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66 |
| SHA512 | dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe |
C:\Users\Admin\AppData\Local\Temp\trx.exe
| MD5 | 03cde07f808c1c15f2b413e89a45b9d8 |
| SHA1 | 2e4f97f7f28024db39758472d484484dc3030c0b |
| SHA256 | daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f |
| SHA512 | d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18 |
memory/1416-16-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
memory/1416-21-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
memory/4652-24-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/4652-25-0x0000000000FA0000-0x0000000000FAA000-memory.dmp
memory/4652-26-0x0000000003320000-0x000000000332A000-memory.dmp
C:\MSCONFIG\0h6cj87wvPM.vbe
| MD5 | c82cc3c85bd84d0af9e997e0a4959cdd |
| SHA1 | 8ff246be20905b44b77082729819917245547013 |
| SHA256 | 53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d |
| SHA512 | 09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9 |
C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat
| MD5 | 8ec84d1942903da3492f14e534a8e841 |
| SHA1 | b152ff7373eac0aaef9c17637bde6cc754fe257a |
| SHA256 | a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d |
| SHA512 | bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076 |
C:\MSCONFIG\CONFIG.exe
| MD5 | 5e14719cd7fbb360095ace17828a75b3 |
| SHA1 | 72cd087ba89bef7546a5657b352b61f2ea31f492 |
| SHA256 | 095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561 |
| SHA512 | 20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27 |
memory/696-39-0x0000000000540000-0x000000000066E000-memory.dmp
memory/696-40-0x0000000000E30000-0x0000000000E42000-memory.dmp
memory/696-41-0x000000001B180000-0x000000001B18C000-memory.dmp
memory/696-42-0x0000000000E40000-0x0000000000E48000-memory.dmp
memory/696-43-0x000000001B190000-0x000000001B1A2000-memory.dmp
memory/696-44-0x000000001C040000-0x000000001C568000-memory.dmp
memory/696-46-0x000000001B1D0000-0x000000001B1DC000-memory.dmp
memory/696-45-0x000000001B1C0000-0x000000001B1CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat
| MD5 | 76a5acdd11c8445c4fb43b8ab007d86f |
| SHA1 | 0b9d3d98c7132186ea2142410b8bafed012ed65d |
| SHA256 | 5945ef32e06ce1d72e1290ffcaacd86ec45f4486554d4ea8d7efdcb3e1e0b8ff |
| SHA512 | c95b0ae33c220e24b8e97971b226addb4c5a7a988a6bafd4bca63ee14b3fc3ee2b460d7ea4a7238e6739cde61810817c07c67c53bde59d2cedad08a30a0ccfb1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CONFIG.exe.log
| MD5 | 3dabc3a15559ada6586962e5d966af35 |
| SHA1 | b9e7ebe34532596154354f7130acafe8654016ef |
| SHA256 | 43f6fa295df0ae3976c919bdd314b17768768b6eb14514b2b3a3fe8e7e477c5b |
| SHA512 | e828eb2af6cb4551e3174cfe8fbcd3c7923ad71c8d6dbf33432223bb230561f8145fc894f457f6660266c2658166fca486c557337f1bafc1b9973d19959fa348 |
memory/4380-75-0x00000000025D0000-0x00000000025E2000-memory.dmp
memory/4380-76-0x0000000002660000-0x0000000002672000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat
| MD5 | cf6800bfb1c35205a8bc71d9d9bfa190 |
| SHA1 | 22d56dd84ec4416c0461abb665d691d4510a53e5 |
| SHA256 | ab63bd127bf496cbd967233a1bfd2cc3d516d99853567b069ded9becc8efe77d |
| SHA512 | e183da86e5ace5f29183a7d67dd2b35021c0ed8f691f68dfd8229333954077125f8397890e8aeaa782371efd5bd7c2043a17e15cfc8cee577d682551aad3a58f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | 45b7b984ff65c4ed6e0e1eec9a7e1dbb |
| SHA1 | 319c613685ba61edb0956fcb3301e659572e6255 |
| SHA256 | 5779e6406a1a1a3938bcc0dcc2eecbdea9a23ae203d9d9dc678b056315139b69 |
| SHA512 | c8733ff26e452805c7791b1cd9a17913dafaf55567a6d8dea4bdd675aae5077d857b546878ab605101a2320e53621b9e07d2b0a51942ef14839891f2be581049 |
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat
| MD5 | 033309c9fb0cb952e7e940828ab531f5 |
| SHA1 | abb4358ba92106e641671c611153f3a3e944b458 |
| SHA256 | 6055914d2abbbce08f212f53dba273753e8eb5831912a1c26855e868a771cb66 |
| SHA512 | 3b97ef986596f4139215da7eca5cdf55f15d2e7b54afe2f36aed2382ce9f81f96bc3ee49738ccb9334f796b86ec5b918065ac806860f5c380e5fbd603d94b4e6 |
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat
| MD5 | 88a2763bba4bd031f7db3857d0f3c78f |
| SHA1 | b54a5b883970e5dc493e87e58ed094fa3462744f |
| SHA256 | f8c9f64cad1ef11c48d0c19b0c75f5289b8286dcf4bd4d892a7adc478f016750 |
| SHA512 | 14bb52f3f25619e65bece77cb0f14a63aa2a560f536e8b302ef6051eda747769a58f42be7c72b4431297fe7a30e6e6aca13c55c2dccecdf8021e55f6dcfabb7f |
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
| MD5 | cf9cac864fe027e2390dc92c7e8bc1aa |
| SHA1 | e921abfc1c577037bdf8bb329b7eb90076c9c786 |
| SHA256 | 40a126dc0c1b85938738a36a0d5b64413b287b51ebeb372a812b5b733db31281 |
| SHA512 | 0a2f7f082d5b9db65744ed57a6f81f771bbb66abf4a123cfe893bee86a5c03519d2903bdd24a18d5c9c613f519ee30167f52daafd43e33400456c68c35ee4a05 |
memory/3384-131-0x0000000002DE0000-0x0000000002DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat
| MD5 | 1c38052fa1d92ac87d9f1cbdd4554fb4 |
| SHA1 | 7eaf591d94cf7401dbbcc26934f0c8810feda7c7 |
| SHA256 | 06796c05a45c31d0e3204ddfe60d42a5b8e6504139ec54f55830aef446575d1d |
| SHA512 | 5372e780d0e5a63d17df46e700638af4f0975863f12773f48e6aa2717bf710938b6680f65b06cd80568302a0d829c3f09f08c8557ad6171ede4eb619b324d52c |
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat
| MD5 | 703ca2a879f3908c96a2b6cd8f83997d |
| SHA1 | a69d052783f29f8b3e14434649f84b89c3086f1a |
| SHA256 | 030eaea140b2c52ec25afb033cfb3b7c7dd284d643c571332236193dac59ba88 |
| SHA512 | 54cf6bd22ef84e16e15ee743a8cc906e49308a4b1dc37468223f4ebf7b32674f40ca66d15b9a71923fcc2518c99c6ca619019b271c7bda58b76e98dcfd1f2e6a |