Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 12:03
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240508-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
69119a27d94728deb85e51c343ca0173
-
SHA1
f93da03f3678056d611196d1c837146277fc68dc
-
SHA256
f54df54335eb1edb832f6a501d095b0d2011c32a81f061397e04908efab35b3e
-
SHA512
ce7887a1abaac570a45344efa9793650c39134b89a1aaad5e1cbe8e71985e6515871622334b5da4cad520e865a4c7605e0587bb4174d54fbf129035eb5cd1e6c
-
SSDEEP
24576:U2G/nvxW3Ww0tzm2QaiULPxZWv7q6cZIrDgVmAk:UbA30BQaVZrmH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1196 schtasks.exe -
Processes:
resource yara_rule C:\PortserverWin\serverwin.exe dcrat behavioral1/memory/2684-13-0x0000000000E50000-0x0000000000F26000-memory.dmp dcrat behavioral1/memory/1744-46-0x0000000001260000-0x0000000001336000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
serverwin.exeIdle.exepid process 2684 serverwin.exe 1744 Idle.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2608 cmd.exe 2608 cmd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Program Files\Windows Defender\101b941d020240 serverwin.exe File created C:\Program Files (x86)\MSBuild\audiodg.exe serverwin.exe File created C:\Program Files (x86)\MSBuild\42af1c969fbb7b serverwin.exe File created C:\Program Files\Windows Defender\lsm.exe serverwin.exe -
Drops file in Windows directory 3 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Windows\rescache\rc0005\sppsvc.exe serverwin.exe File created C:\Windows\ehome\wow\en-US\lsm.exe serverwin.exe File created C:\Windows\ehome\wow\en-US\101b941d020240 serverwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2252 schtasks.exe 380 schtasks.exe 1624 schtasks.exe 468 schtasks.exe 2232 schtasks.exe 2384 schtasks.exe 2856 schtasks.exe 332 schtasks.exe 1856 schtasks.exe 2752 schtasks.exe 1600 schtasks.exe 1964 schtasks.exe 2304 schtasks.exe 2424 schtasks.exe 1972 schtasks.exe 2508 schtasks.exe 2436 schtasks.exe 2732 schtasks.exe 1424 schtasks.exe 2660 schtasks.exe 2448 schtasks.exe 1608 schtasks.exe 2428 schtasks.exe 2444 schtasks.exe 2564 schtasks.exe 2640 schtasks.exe 2792 schtasks.exe 1808 schtasks.exe 2484 schtasks.exe 584 schtasks.exe 1248 schtasks.exe 2316 schtasks.exe 2176 schtasks.exe 288 schtasks.exe 1440 schtasks.exe 2432 schtasks.exe 2632 schtasks.exe 2772 schtasks.exe 1136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
serverwin.exeIdle.exechrome.exepid process 2684 serverwin.exe 1744 Idle.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
serverwin.exeIdle.exechrome.exedescription pid process Token: SeDebugPrivilege 2684 serverwin.exe Token: SeDebugPrivilege 1744 Idle.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
chrome.exepid process 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeserverwin.exechrome.exedescription pid process target process PID 1720 wrote to memory of 2936 1720 DCRatBuild.exe WScript.exe PID 1720 wrote to memory of 2936 1720 DCRatBuild.exe WScript.exe PID 1720 wrote to memory of 2936 1720 DCRatBuild.exe WScript.exe PID 1720 wrote to memory of 2936 1720 DCRatBuild.exe WScript.exe PID 2936 wrote to memory of 2608 2936 WScript.exe cmd.exe PID 2936 wrote to memory of 2608 2936 WScript.exe cmd.exe PID 2936 wrote to memory of 2608 2936 WScript.exe cmd.exe PID 2936 wrote to memory of 2608 2936 WScript.exe cmd.exe PID 2608 wrote to memory of 2684 2608 cmd.exe serverwin.exe PID 2608 wrote to memory of 2684 2608 cmd.exe serverwin.exe PID 2608 wrote to memory of 2684 2608 cmd.exe serverwin.exe PID 2608 wrote to memory of 2684 2608 cmd.exe serverwin.exe PID 2684 wrote to memory of 1744 2684 serverwin.exe Idle.exe PID 2684 wrote to memory of 1744 2684 serverwin.exe Idle.exe PID 2684 wrote to memory of 1744 2684 serverwin.exe Idle.exe PID 896 wrote to memory of 1632 896 chrome.exe chrome.exe PID 896 wrote to memory of 1632 896 chrome.exe chrome.exe PID 896 wrote to memory of 1632 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 876 896 chrome.exe chrome.exe PID 896 wrote to memory of 2900 896 chrome.exe chrome.exe PID 896 wrote to memory of 2900 896 chrome.exe chrome.exe PID 896 wrote to memory of 2900 896 chrome.exe chrome.exe PID 896 wrote to memory of 1776 896 chrome.exe chrome.exe PID 896 wrote to memory of 1776 896 chrome.exe chrome.exe PID 896 wrote to memory of 1776 896 chrome.exe chrome.exe PID 896 wrote to memory of 1776 896 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortserverWin\hbvALF5ANwO637LJ.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\PortserverWin\serverwin.exe"C:\PortserverWin\serverwin.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe"C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\PortserverWin\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PortserverWin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\wow\en-US\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ehome\wow\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\wow\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\PortserverWin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\PortserverWin\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PortserverWin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\PortserverWin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\PortserverWin\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PortserverWin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1d99758,0x7fef1d99768,0x7fef1d997782⤵PID:1632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:22⤵PID:876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:82⤵PID:2900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:82⤵PID:1776
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1480 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:12⤵PID:3008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:12⤵PID:2160
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1988 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:22⤵PID:2696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1352 --field-trial-handle=1404,i,9902155734115584632,8119183139764033504,131072 /prefetch:12⤵PID:2772
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.batFilesize
32B
MD5f97003508c4a7da05b8dd7ec2eb5d19d
SHA157c69807156d660c0394caf53af6d7edb10419ae
SHA2560065d6587056351f930803b1030b2d1b210e41a4a731f3d0e4f55d903a0b80e0
SHA51286c8a7697d0593dc48bd1343af8c114e85fa422380ae7cfcbd549d4b740e7aff4faf23d0ff06d1c7e4b6a1b0f3eafe15ddfbc451d42815ec23b4ee7e6437124d
-
C:\PortserverWin\hbvALF5ANwO637LJ.vbeFilesize
215B
MD5ac7f40d86252e33f7eaa68237c8ef92e
SHA13cca1a9e29e8ab5a3a72ac9c8eac2c482a0da30b
SHA25690cd9a07fcbef6f39445d04035adbdcde5f1cc91e7f7f084516efbc5ba95c3ca
SHA5121d66fedbc2b1d882b007d4b36c3ffef1c5d550c60ceb14c7517b48e08deb2f7e868fdd419d6545e07fe4a859ff088746f8a6892b9e99a8d2216f7c3a4bc2c694
-
C:\PortserverWin\serverwin.exeFilesize
828KB
MD5eee8aebed57ea1fb9fb307a967e6892a
SHA1047a0c84eeba395bf99e99872ad56bb35416bb2b
SHA2561d5d6374bc49780c31381696ad42a24369b398a2a85580196c031067f97e621d
SHA512411d5d02d40de7ec4eb4679cc1047df0987060676bbd721efe099c6babbaead2dccdd68a394afe930c96bb34f40c0512ae4ca224c152f02721072cc14c04004d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0e484c0f-08fe-4441-b388-09d8583cc98b.tmpFilesize
140KB
MD5c507114bcaa801f8b0ade8f28c2dac82
SHA13922a7e391d876be3ea46ab108c2413ab7495336
SHA256f5ff76a71b6ce8e2c66618360e2353b0a8d9d4d393bb388fb4d949956a83ef02
SHA5124649af4a7b88f57a99ff696b0591caa23d280f2f419d9efb29b24095772a3f1278540feee91caca840e473572aacd1374f039b8baa770021cf94d29b2947326c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
\??\pipe\crashpad_896_KNSKYEMTAPSRDEYOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1744-46-0x0000000001260000-0x0000000001336000-memory.dmpFilesize
856KB
-
memory/2684-13-0x0000000000E50000-0x0000000000F26000-memory.dmpFilesize
856KB