Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 22:17
Behavioral task
behavioral1
Sample
NursultanCrack.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
NursultanCrack.exe
Resource
win10v2004-20240709-en
General
-
Target
NursultanCrack.exe
-
Size
1.9MB
-
MD5
9c49f8ab036331a19ab63f9aff82db38
-
SHA1
a27f11d48f1428b8efb5384f779f355271cc8877
-
SHA256
c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
-
SHA512
2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd
-
SSDEEP
24576:h2G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+s:hbA3ZUo6buPaARUDInHkBHR
Malware Config
Signatures
-
DcRat 47 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeHypercommon.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2200 schtasks.exe 1716 schtasks.exe 2468 schtasks.exe 288 schtasks.exe 3004 schtasks.exe 2500 schtasks.exe 480 schtasks.exe 1412 schtasks.exe 2536 schtasks.exe 924 schtasks.exe 2512 schtasks.exe 1672 schtasks.exe 2760 schtasks.exe 2656 schtasks.exe 2984 schtasks.exe 1548 schtasks.exe 1632 schtasks.exe 552 schtasks.exe 1644 schtasks.exe 1524 schtasks.exe 2084 schtasks.exe 2940 schtasks.exe 2572 schtasks.exe 1224 schtasks.exe 852 schtasks.exe 1500 schtasks.exe 2948 schtasks.exe 1780 schtasks.exe 2148 schtasks.exe 1784 schtasks.exe 740 schtasks.exe 2588 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hypercommon.exe 2952 schtasks.exe 2960 schtasks.exe 2696 schtasks.exe 1132 schtasks.exe 2428 schtasks.exe 2992 schtasks.exe 464 schtasks.exe 3052 schtasks.exe 2568 schtasks.exe 1592 schtasks.exe 1648 schtasks.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f Hypercommon.exe 3040 schtasks.exe 264 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 15 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" Hypercommon.exe -
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2056 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2056 schtasks.exe -
Processes:
spoolsv.exeHypercommon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe dcrat behavioral1/memory/2296-13-0x0000000000050000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1720-60-0x0000000000D60000-0x0000000000ED0000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
Hypercommon.exespoolsv.exepid process 2296 Hypercommon.exe 1720 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2560 cmd.exe 2560 cmd.exe -
Adds Run key to start application 2 TTPs 30 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" Hypercommon.exe -
Processes:
Hypercommon.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Drops file in Program Files directory 13 IoCs
Processes:
Hypercommon.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\Idle.exe Hypercommon.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\5940a34987c991 Hypercommon.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f Hypercommon.exe File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d Hypercommon.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe Hypercommon.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3 Hypercommon.exe File created C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe Hypercommon.exe File created C:\Program Files (x86)\MSBuild\Microsoft\6203df4a6bafc7 Hypercommon.exe File created C:\Program Files\Uninstall Information\Idle.exe Hypercommon.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe Hypercommon.exe File created C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e Hypercommon.exe File created C:\Program Files\Windows Portable Devices\cmd.exe Hypercommon.exe File created C:\Program Files\Microsoft Office\Office14\1033\csrss.exe Hypercommon.exe -
Drops file in Windows directory 2 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe Hypercommon.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\088424020bedd6 Hypercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2512 schtasks.exe 2696 schtasks.exe 2468 schtasks.exe 2960 schtasks.exe 3004 schtasks.exe 2940 schtasks.exe 1500 schtasks.exe 2148 schtasks.exe 924 schtasks.exe 2500 schtasks.exe 1644 schtasks.exe 1672 schtasks.exe 2588 schtasks.exe 288 schtasks.exe 3052 schtasks.exe 2084 schtasks.exe 1780 schtasks.exe 480 schtasks.exe 1548 schtasks.exe 2952 schtasks.exe 1412 schtasks.exe 2536 schtasks.exe 2572 schtasks.exe 1632 schtasks.exe 2200 schtasks.exe 1716 schtasks.exe 2428 schtasks.exe 2984 schtasks.exe 1224 schtasks.exe 464 schtasks.exe 2948 schtasks.exe 1592 schtasks.exe 1524 schtasks.exe 2760 schtasks.exe 2656 schtasks.exe 2568 schtasks.exe 552 schtasks.exe 1648 schtasks.exe 3040 schtasks.exe 264 schtasks.exe 1132 schtasks.exe 2992 schtasks.exe 852 schtasks.exe 1784 schtasks.exe 740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Hypercommon.exespoolsv.exepid process 2296 Hypercommon.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 1720 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Hypercommon.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2296 Hypercommon.exe Token: SeDebugPrivilege 1720 spoolsv.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
NursultanCrack.exeWScript.execmd.exeHypercommon.exespoolsv.exedescription pid process target process PID 2676 wrote to memory of 1072 2676 NursultanCrack.exe WScript.exe PID 2676 wrote to memory of 1072 2676 NursultanCrack.exe WScript.exe PID 2676 wrote to memory of 1072 2676 NursultanCrack.exe WScript.exe PID 2676 wrote to memory of 1072 2676 NursultanCrack.exe WScript.exe PID 1072 wrote to memory of 2560 1072 WScript.exe cmd.exe PID 1072 wrote to memory of 2560 1072 WScript.exe cmd.exe PID 1072 wrote to memory of 2560 1072 WScript.exe cmd.exe PID 1072 wrote to memory of 2560 1072 WScript.exe cmd.exe PID 2560 wrote to memory of 2296 2560 cmd.exe Hypercommon.exe PID 2560 wrote to memory of 2296 2560 cmd.exe Hypercommon.exe PID 2560 wrote to memory of 2296 2560 cmd.exe Hypercommon.exe PID 2560 wrote to memory of 2296 2560 cmd.exe Hypercommon.exe PID 2296 wrote to memory of 1720 2296 Hypercommon.exe spoolsv.exe PID 2296 wrote to memory of 1720 2296 Hypercommon.exe spoolsv.exe PID 2296 wrote to memory of 1720 2296 Hypercommon.exe spoolsv.exe PID 1720 wrote to memory of 1604 1720 spoolsv.exe WScript.exe PID 1720 wrote to memory of 1604 1720 spoolsv.exe WScript.exe PID 1720 wrote to memory of 1604 1720 spoolsv.exe WScript.exe PID 1720 wrote to memory of 1772 1720 spoolsv.exe WScript.exe PID 1720 wrote to memory of 1772 1720 spoolsv.exe WScript.exe PID 1720 wrote to memory of 1772 1720 spoolsv.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
Hypercommon.exespoolsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296 -
C:\Users\Default User\spoolsv.exe"C:\Users\Default User\spoolsv.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8495b3a-9db8-4546-8c5d-bdd0435d60f4.vbs"6⤵PID:1604
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe43d45-72da-43a3-a071-f6cfe09cc118.vbs"6⤵PID:1772
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Hypercommon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485B
MD5e282d2ed3a64f63fd1cf28cca5fc00d2
SHA1f9f9fea3051f18a9ce2d57143cc0a24f2defd082
SHA2568daee1c947167d76b8dc48cbf61f16910eeb32286f84403a11cc5b242e48d5ff
SHA512ced76dea7d8f657fd185a5aa264483e5c69d2c466e5223c664bd15edd912a505f62821e0fa13c5281d8b89bae73cb6224241ab17f8045fcbef27dadfa303b538
-
Filesize
709B
MD59ff48d05a69ed8d8454b16ec89a821db
SHA13a51ddc504f5774b6bc70ab4b0263fe20e05759e
SHA2562bfc9517ea0b46fc0a822edf463f53581bac45a7a4fc59073cf6324c795b7357
SHA51222e086870ed4a43ddcacad432f5f5e40acf322734187a2492bce52cc1e023bcd00dd1f2a4a47afe8d8cbcb734a7f0142b10f9d452aa7ad9c32402c4bba82e597
-
Filesize
38B
MD56c77726beb17fe13c44cbc3312d1ca54
SHA1919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA5125089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4
-
Filesize
1.4MB
MD5f1ca585436d62720be1c8d7f24fb773f
SHA13687e578f150e45aa5194f9c485b221459f0f454
SHA256dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA5129e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc
-
Filesize
209B
MD52febca5513bbb1d2fb14b29bd4998314
SHA15fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA51260a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c