44caliber | fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8

General

Target

Nursultan.exe
Size

1.4MB
MD5

1b6293c7f0dfed044b0eba8b98b0faff
SHA1

e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a
SHA256

fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8
SHA512

694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5
SSDEEP

24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9

Score

10^/10

44caliber dcrat infostealer rat stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeServercrtDll.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1616	schtasks.exe
2172	schtasks.exe
892	schtasks.exe
2924	schtasks.exe
2708	schtasks.exe
2544	schtasks.exe
1724	schtasks.exe
1544	schtasks.exe
636	schtasks.exe
1600	schtasks.exe
2432	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	ServercrtDll.exe
1920	schtasks.exe
2132	schtasks.exe
2216	schtasks.exe
1564	schtasks.exe
2812	schtasks.exe
1964	schtasks.exe
560	schtasks.exe
1556	schtasks.exe
2724	schtasks.exe
3040	schtasks.exe
904	schtasks.exe
2268	schtasks.exe
1528	schtasks.exe
2984	schtasks.exe
1696	schtasks.exe
2936	schtasks.exe
1620	schtasks.exe
2736	schtasks.exe
2692	schtasks.exe
2208	schtasks.exe
2036	schtasks.exe
2068	schtasks.exe
704	schtasks.exe
2780	schtasks.exe
2720	schtasks.exe
1680	schtasks.exe
1692	schtasks.exe
2356	schtasks.exe
772	schtasks.exe
436	schtasks.exe
1792	schtasks.exe
2548	schtasks.exe
336	schtasks.exe
2148	schtasks.exe
2920	schtasks.exe
1704	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	ServercrtDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240	ServercrtDll.exe
3052	schtasks.exe
1772	schtasks.exe
2792	schtasks.exe
752	schtasks.exe
1888	schtasks.exe
2852	schtasks.exe
1592	schtasks.exe
568	schtasks.exe
2152	schtasks.exe
1244	schtasks.exe
1164	schtasks.exe
2652	schtasks.exe
2704	schtasks.exe
1788	schtasks.exe

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1812	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1812	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1252-1-0x0000000000350000-0x00000000004BC000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\svchost.exe	dcrat
\Hypercommon\ServercrtDll.exe	dcrat
behavioral1/memory/2564-29-0x0000000000C60000-0x0000000000D36000-memory.dmp	dcrat
behavioral1/memory/592-82-0x0000000000E80000-0x0000000000F56000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

svchost.exeexplorer.exeServercrtDll.exeServercrtDll.exewininit.exe

pid process

2648 svchost.exe
2704 explorer.exe
2564 ServercrtDll.exe
1264 ServercrtDll.exe
592 wininit.exe
Loads dropped DLL 4 IoCs

Processes:

Nursultan.execmd.exe

pid process

1252 Nursultan.exe
1252 Nursultan.exe
2496 cmd.exe
2496 cmd.exe

pid	process
2648	svchost.exe
2704	explorer.exe
2564	ServercrtDll.exe
1264	ServercrtDll.exe
592	wininit.exe

pid	process
1252	Nursultan.exe
1252	Nursultan.exe
2496	cmd.exe
2496	cmd.exe

Drops file in Program Files directory 16 IoCs

Processes:

ServercrtDll.exeServercrtDll.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\en-US\lsass.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\services.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\c5b4cb5e9653cc	ServercrtDll.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240	ServercrtDll.exe
File created	C:\Program Files\Windows Sidebar\explorer.exe	ServercrtDll.exe
File opened for modification	C:\Program Files\Windows Sidebar\explorer.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1550d6aba1d216	ServercrtDll.exe
File created	C:\Program Files\Windows Defender\en-US\6203df4a6bafc7	ServercrtDll.exe
File created	C:\Program Files\Common Files\Services\csrss.exe	ServercrtDll.exe
File created	C:\Program Files\Common Files\Services\886983d96e3d3e	ServercrtDll.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\ServercrtDll.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	ServercrtDll.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	ServercrtDll.exe
File created	C:\Program Files\Windows Sidebar\7a0fd90576e088	ServercrtDll.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	ServercrtDll.exe

Drops file in Windows directory 4 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File created	C:\Windows\Setup\State\886983d96e3d3e	ServercrtDll.exe
File created	C:\Windows\it-IT\explorer.exe	ServercrtDll.exe
File created	C:\Windows\it-IT\7a0fd90576e088	ServercrtDll.exe
File created	C:\Windows\Setup\State\csrss.exe	ServercrtDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1680	schtasks.exe
1920	schtasks.exe
1556	schtasks.exe
2920	schtasks.exe
1164	schtasks.exe
2068	schtasks.exe
2132	schtasks.exe
2736	schtasks.exe
2544	schtasks.exe
1592	schtasks.exe
1544	schtasks.exe
904	schtasks.exe
1696	schtasks.exe
3040	schtasks.exe
2216	schtasks.exe
1528	schtasks.exe
2704	schtasks.exe
2548	schtasks.exe
892	schtasks.exe
1724	schtasks.exe
2812	schtasks.exe
1964	schtasks.exe
2936	schtasks.exe
2172	schtasks.exe
2692	schtasks.exe
772	schtasks.exe
3052	schtasks.exe
2924	schtasks.exe
568	schtasks.exe
2152	schtasks.exe
2356	schtasks.exe
2720	schtasks.exe
1888	schtasks.exe
704	schtasks.exe
436	schtasks.exe
560	schtasks.exe
2148	schtasks.exe
1792	schtasks.exe
1600	schtasks.exe
1564	schtasks.exe
2036	schtasks.exe
2652	schtasks.exe
1244	schtasks.exe
636	schtasks.exe
2708	schtasks.exe
2724	schtasks.exe
1788	schtasks.exe
2432	schtasks.exe
2852	schtasks.exe
2984	schtasks.exe
1704	schtasks.exe
1616	schtasks.exe
812	schtasks.exe
1620	schtasks.exe
2780	schtasks.exe
2208	schtasks.exe
2792	schtasks.exe
2720	schtasks.exe
752	schtasks.exe
336	schtasks.exe
2268	schtasks.exe
1692	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

explorer.exeServercrtDll.exeServercrtDll.exewininit.exe

pid	process
2704	explorer.exe
2704	explorer.exe
2564	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
1264	ServercrtDll.exe
592	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

explorer.exeServercrtDll.exeServercrtDll.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	2704	explorer.exe
Token: SeDebugPrivilege	2564	ServercrtDll.exe
Token: SeDebugPrivilege	1264	ServercrtDll.exe
Token: SeDebugPrivilege	592	wininit.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Nursultan.exesvchost.exeWScript.execmd.exeServercrtDll.exeServercrtDll.execmd.exe

description	pid	process	target process
PID 1252 wrote to memory of 2648	1252	Nursultan.exe	svchost.exe
PID 1252 wrote to memory of 2648	1252	Nursultan.exe	svchost.exe
PID 1252 wrote to memory of 2648	1252	Nursultan.exe	svchost.exe
PID 1252 wrote to memory of 2648	1252	Nursultan.exe	svchost.exe
PID 1252 wrote to memory of 2704	1252	Nursultan.exe	explorer.exe
PID 1252 wrote to memory of 2704	1252	Nursultan.exe	explorer.exe
PID 1252 wrote to memory of 2704	1252	Nursultan.exe	explorer.exe
PID 1252 wrote to memory of 2704	1252	Nursultan.exe	explorer.exe
PID 2648 wrote to memory of 2752	2648	svchost.exe	WScript.exe
PID 2648 wrote to memory of 2752	2648	svchost.exe	WScript.exe
PID 2648 wrote to memory of 2752	2648	svchost.exe	WScript.exe
PID 2648 wrote to memory of 2752	2648	svchost.exe	WScript.exe
PID 2752 wrote to memory of 2496	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2496	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2496	2752	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2496	2752	WScript.exe	cmd.exe
PID 2496 wrote to memory of 2564	2496	cmd.exe	ServercrtDll.exe
PID 2496 wrote to memory of 2564	2496	cmd.exe	ServercrtDll.exe
PID 2496 wrote to memory of 2564	2496	cmd.exe	ServercrtDll.exe
PID 2496 wrote to memory of 2564	2496	cmd.exe	ServercrtDll.exe
PID 2564 wrote to memory of 1264	2564	ServercrtDll.exe	ServercrtDll.exe
PID 2564 wrote to memory of 1264	2564	ServercrtDll.exe	ServercrtDll.exe
PID 2564 wrote to memory of 1264	2564	ServercrtDll.exe	ServercrtDll.exe
PID 1264 wrote to memory of 1736	1264	ServercrtDll.exe	cmd.exe
PID 1264 wrote to memory of 1736	1264	ServercrtDll.exe	cmd.exe
PID 1264 wrote to memory of 1736	1264	ServercrtDll.exe	cmd.exe
PID 1736 wrote to memory of 1572	1736	cmd.exe	w32tm.exe
PID 1736 wrote to memory of 1572	1736	cmd.exe	w32tm.exe
PID 1736 wrote to memory of 1572	1736	cmd.exe	w32tm.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	wininit.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	wininit.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496

C:\Hypercommon\ServercrtDll.exe
"C:\Hypercommon\ServercrtDll.exe"
5⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Hypercommon\ServercrtDll.exe
"C:\Hypercommon\ServercrtDll.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g35eRXuH0O.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1572

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Links\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServercrtDllS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\ServercrtDll.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServercrtDll" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\ServercrtDll.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServercrtDllS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\ServercrtDll.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hypercommon\Udwe1ynNPaETo.bat
Filesize
33B

MD5
1af82b77403306ff43f68bf7a0786c52

SHA1
730a3bd4b524ffa024657c1fc27ffd82e25f3f81

SHA256
e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96

SHA512
0e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1

Download Submit
C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe
Filesize
201B

MD5
0f314eb5d52ce9cd85095eadff4f908c

SHA1
272d25d43f789dd5fad479ab31e96214f82302b3

SHA256
f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89

SHA512
471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09

Download Submit
C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\f3b6ecef712a24
Filesize
550B

MD5
d7312bbc178dae80147829ffbe331b98

SHA1
3918e0016c43c0c5af94cba83ad500214e88973e

SHA256
caae62cbe389b129a50a03e83d00bfc9cbd1f40b8ef8307bf35af4fe56a76e73

SHA512
f11ce794c5375ec39a2f563e51f47f9cab0f3f73716a4b7845c4b9a8de3aab97967b170366d763c330dca27a2420c1ffc334cd4f63df0677252eaf3d0b4beb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\g35eRXuH0O.bat
Filesize
239B

MD5
186d66dff7cfe87fb5f9c41d697351f3

SHA1
6aef5892bc32c3ec6a96a7df50e9b4d39f8e6699

SHA256
ca82541c4bf5278ee98a317a54a6e9d6ffdeed7eb115ac5ee46cd83c860d1f7f

SHA512
8715ea3506af26cfa93d523214a72b62711eedb1ae38f03faaf549751a9a10cf321509ad33dc886836d293a3bc12985f098c2ea6d7da3ec209634a73218b2c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
3ee661f4a9794c72a91fa1f783f54969

SHA1
35780f52351da65b60cc63b302018950cbfe849f

SHA256
ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51

SHA512
0b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde

Download Submit
\Hypercommon\ServercrtDll.exe
Filesize
828KB

MD5
801d5740c780d09b1cc6d971ce8b280f

SHA1
c7188e6f5998405d9dcbe83ce5d29267861be07d

SHA256
b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f

SHA512
3296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
303KB

MD5
7d9282b8529bbb4ac06a3994fbcd0622

SHA1
d38d467c5e533f3bc247b6ed245fb08412a479d7

SHA256
ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9

SHA512
aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5

Download Submit
memory/592-82-0x0000000000E80000-0x0000000000F56000-memory.dmp

Filesize
856KB

Download
memory/1252-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/1252-1-0x0000000000350000-0x00000000004BC000-memory.dmp

Filesize
1.4MB

Download
memory/2564-29-0x0000000000C60000-0x0000000000D36000-memory.dmp

Filesize
856KB

Download
memory/2704-23-0x0000000000D70000-0x0000000000DC2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads