Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:05
Behavioral task
behavioral1
Sample
95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe
Resource
win10-20220901-en
General
-
Target
95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe
-
Size
1.3MB
-
MD5
3659560afd4df52a635113b898ae9745
-
SHA1
424234ea377f6de04614d01734208dfd21389e79
-
SHA256
95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c
-
SHA512
668061b0954a03b4fb01bdfd8524cfd35ba65a19120e9adcf365ffc87897eef946df0460d29803c95bbf66feec2dce703f2dcddcb385f22e899eda1b35c1d073
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 4148 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 4148 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000900000001ac16-281.dat dcrat behavioral1/files/0x000900000001ac16-282.dat dcrat behavioral1/memory/4588-283-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/files/0x000600000001ac22-300.dat dcrat behavioral1/files/0x000600000001ac22-302.dat dcrat behavioral1/files/0x000600000001ac22-472.dat dcrat behavioral1/files/0x000600000001ac22-478.dat dcrat behavioral1/files/0x000600000001ac22-483.dat dcrat behavioral1/files/0x000600000001ac22-488.dat dcrat behavioral1/files/0x000600000001ac22-493.dat dcrat behavioral1/files/0x000600000001ac22-498.dat dcrat behavioral1/files/0x000600000001ac22-504.dat dcrat behavioral1/files/0x000600000001ac22-509.dat dcrat behavioral1/files/0x000600000001ac22-514.dat dcrat behavioral1/files/0x000600000001ac22-519.dat dcrat behavioral1/files/0x000600000001ac22-524.dat dcrat -
Executes dropped EXE 13 IoCs
pid Process 4588 DllCommonsvc.exe 412 ShellExperienceHost.exe 4188 ShellExperienceHost.exe 4696 ShellExperienceHost.exe 2168 ShellExperienceHost.exe 2812 ShellExperienceHost.exe 1468 ShellExperienceHost.exe 4180 ShellExperienceHost.exe 1540 ShellExperienceHost.exe 896 ShellExperienceHost.exe 856 ShellExperienceHost.exe 3248 ShellExperienceHost.exe 3032 ShellExperienceHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\f8c8f1285d826b DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Media\Sonata\Idle.exe DllCommonsvc.exe File created C:\Windows\Media\Sonata\6ccacd8608530f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3112 schtasks.exe 4832 schtasks.exe 4060 schtasks.exe 3928 schtasks.exe 2676 schtasks.exe 4444 schtasks.exe 4416 schtasks.exe 4696 schtasks.exe 2856 schtasks.exe 4776 schtasks.exe 4536 schtasks.exe 4736 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings 95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4588 DllCommonsvc.exe 4588 DllCommonsvc.exe 4588 DllCommonsvc.exe 4588 DllCommonsvc.exe 4588 DllCommonsvc.exe 4716 powershell.exe 4704 powershell.exe 4620 powershell.exe 2300 powershell.exe 552 powershell.exe 4704 powershell.exe 412 ShellExperienceHost.exe 4716 powershell.exe 4620 powershell.exe 552 powershell.exe 2300 powershell.exe 4704 powershell.exe 4716 powershell.exe 4620 powershell.exe 552 powershell.exe 2300 powershell.exe 4188 ShellExperienceHost.exe 4696 ShellExperienceHost.exe 2168 ShellExperienceHost.exe 2812 ShellExperienceHost.exe 1468 ShellExperienceHost.exe 4180 ShellExperienceHost.exe 1540 ShellExperienceHost.exe 896 ShellExperienceHost.exe 856 ShellExperienceHost.exe 3248 ShellExperienceHost.exe 3032 ShellExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4588 DllCommonsvc.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 412 ShellExperienceHost.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeIncreaseQuotaPrivilege 4704 powershell.exe Token: SeSecurityPrivilege 4704 powershell.exe Token: SeTakeOwnershipPrivilege 4704 powershell.exe Token: SeLoadDriverPrivilege 4704 powershell.exe Token: SeSystemProfilePrivilege 4704 powershell.exe Token: SeSystemtimePrivilege 4704 powershell.exe Token: SeProfSingleProcessPrivilege 4704 powershell.exe Token: SeIncBasePriorityPrivilege 4704 powershell.exe Token: SeCreatePagefilePrivilege 4704 powershell.exe Token: SeBackupPrivilege 4704 powershell.exe Token: SeRestorePrivilege 4704 powershell.exe Token: SeShutdownPrivilege 4704 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeSystemEnvironmentPrivilege 4704 powershell.exe Token: SeRemoteShutdownPrivilege 4704 powershell.exe Token: SeUndockPrivilege 4704 powershell.exe Token: SeManageVolumePrivilege 4704 powershell.exe Token: 33 4704 powershell.exe Token: 34 4704 powershell.exe Token: 35 4704 powershell.exe Token: 36 4704 powershell.exe Token: SeIncreaseQuotaPrivilege 4716 powershell.exe Token: SeSecurityPrivilege 4716 powershell.exe Token: SeTakeOwnershipPrivilege 4716 powershell.exe Token: SeLoadDriverPrivilege 4716 powershell.exe Token: SeSystemProfilePrivilege 4716 powershell.exe Token: SeSystemtimePrivilege 4716 powershell.exe Token: SeProfSingleProcessPrivilege 4716 powershell.exe Token: SeIncBasePriorityPrivilege 4716 powershell.exe Token: SeCreatePagefilePrivilege 4716 powershell.exe Token: SeBackupPrivilege 4716 powershell.exe Token: SeRestorePrivilege 4716 powershell.exe Token: SeShutdownPrivilege 4716 powershell.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeSystemEnvironmentPrivilege 4716 powershell.exe Token: SeRemoteShutdownPrivilege 4716 powershell.exe Token: SeUndockPrivilege 4716 powershell.exe Token: SeManageVolumePrivilege 4716 powershell.exe Token: 33 4716 powershell.exe Token: 34 4716 powershell.exe Token: 35 4716 powershell.exe Token: 36 4716 powershell.exe Token: SeIncreaseQuotaPrivilege 4620 powershell.exe Token: SeSecurityPrivilege 4620 powershell.exe Token: SeTakeOwnershipPrivilege 4620 powershell.exe Token: SeLoadDriverPrivilege 4620 powershell.exe Token: SeSystemProfilePrivilege 4620 powershell.exe Token: SeSystemtimePrivilege 4620 powershell.exe Token: SeProfSingleProcessPrivilege 4620 powershell.exe Token: SeIncBasePriorityPrivilege 4620 powershell.exe Token: SeCreatePagefilePrivilege 4620 powershell.exe Token: SeBackupPrivilege 4620 powershell.exe Token: SeRestorePrivilege 4620 powershell.exe Token: SeShutdownPrivilege 4620 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeSystemEnvironmentPrivilege 4620 powershell.exe Token: SeRemoteShutdownPrivilege 4620 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3520 wrote to memory of 3304 3520 95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe 66 PID 3520 wrote to memory of 3304 3520 95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe 66 PID 3520 wrote to memory of 3304 3520 95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe 66 PID 3304 wrote to memory of 1296 3304 WScript.exe 67 PID 3304 wrote to memory of 1296 3304 WScript.exe 67 PID 3304 wrote to memory of 1296 3304 WScript.exe 67 PID 1296 wrote to memory of 4588 1296 cmd.exe 69 PID 1296 wrote to memory of 4588 1296 cmd.exe 69 PID 4588 wrote to memory of 4704 4588 DllCommonsvc.exe 83 PID 4588 wrote to memory of 4704 4588 DllCommonsvc.exe 83 PID 4588 wrote to memory of 4716 4588 DllCommonsvc.exe 92 PID 4588 wrote to memory of 4716 4588 DllCommonsvc.exe 92 PID 4588 wrote to memory of 4620 4588 DllCommonsvc.exe 91 PID 4588 wrote to memory of 4620 4588 DllCommonsvc.exe 91 PID 4588 wrote to memory of 552 4588 DllCommonsvc.exe 86 PID 4588 wrote to memory of 552 4588 DllCommonsvc.exe 86 PID 4588 wrote to memory of 2300 4588 DllCommonsvc.exe 87 PID 4588 wrote to memory of 2300 4588 DllCommonsvc.exe 87 PID 4588 wrote to memory of 412 4588 DllCommonsvc.exe 93 PID 4588 wrote to memory of 412 4588 DllCommonsvc.exe 93 PID 412 wrote to memory of 3372 412 ShellExperienceHost.exe 95 PID 412 wrote to memory of 3372 412 ShellExperienceHost.exe 95 PID 3372 wrote to memory of 5004 3372 cmd.exe 97 PID 3372 wrote to memory of 5004 3372 cmd.exe 97 PID 3372 wrote to memory of 4188 3372 cmd.exe 98 PID 3372 wrote to memory of 4188 3372 cmd.exe 98 PID 4188 wrote to memory of 4840 4188 ShellExperienceHost.exe 99 PID 4188 wrote to memory of 4840 4188 ShellExperienceHost.exe 99 PID 4840 wrote to memory of 4748 4840 cmd.exe 101 PID 4840 wrote to memory of 4748 4840 cmd.exe 101 PID 4840 wrote to memory of 4696 4840 cmd.exe 102 PID 4840 wrote to memory of 4696 4840 cmd.exe 102 PID 4696 wrote to memory of 4428 4696 ShellExperienceHost.exe 103 PID 4696 wrote to memory of 4428 4696 ShellExperienceHost.exe 103 PID 4428 wrote to memory of 4856 4428 cmd.exe 105 PID 4428 wrote to memory of 4856 4428 cmd.exe 105 PID 4428 wrote to memory of 2168 4428 cmd.exe 106 PID 4428 wrote to memory of 2168 4428 cmd.exe 106 PID 2168 wrote to memory of 1104 2168 ShellExperienceHost.exe 107 PID 2168 wrote to memory of 1104 2168 ShellExperienceHost.exe 107 PID 1104 wrote to memory of 1856 1104 cmd.exe 109 PID 1104 wrote to memory of 1856 1104 cmd.exe 109 PID 1104 wrote to memory of 2812 1104 cmd.exe 110 PID 1104 wrote to memory of 2812 1104 cmd.exe 110 PID 2812 wrote to memory of 2264 2812 ShellExperienceHost.exe 111 PID 2812 wrote to memory of 2264 2812 ShellExperienceHost.exe 111 PID 2264 wrote to memory of 4964 2264 cmd.exe 113 PID 2264 wrote to memory of 4964 2264 cmd.exe 113 PID 2264 wrote to memory of 1468 2264 cmd.exe 114 PID 2264 wrote to memory of 1468 2264 cmd.exe 114 PID 1468 wrote to memory of 3816 1468 ShellExperienceHost.exe 116 PID 1468 wrote to memory of 3816 1468 ShellExperienceHost.exe 116 PID 3816 wrote to memory of 440 3816 cmd.exe 117 PID 3816 wrote to memory of 440 3816 cmd.exe 117 PID 3816 wrote to memory of 4180 3816 cmd.exe 118 PID 3816 wrote to memory of 4180 3816 cmd.exe 118 PID 4180 wrote to memory of 3016 4180 ShellExperienceHost.exe 119 PID 4180 wrote to memory of 3016 4180 ShellExperienceHost.exe 119 PID 3016 wrote to memory of 1536 3016 cmd.exe 121 PID 3016 wrote to memory of 1536 3016 cmd.exe 121 PID 3016 wrote to memory of 1540 3016 cmd.exe 122 PID 3016 wrote to memory of 1540 3016 cmd.exe 122 PID 1540 wrote to memory of 3936 1540 ShellExperienceHost.exe 123 PID 1540 wrote to memory of 3936 1540 ShellExperienceHost.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe"C:\Users\Admin\AppData\Local\Temp\95faf67c03bdb322c058ba363f327d7827482039ac1a16aa115cda78f0c3f88c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Sonata\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5004
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4748
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4856
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1856
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4964
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:440
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1536
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"20⤵PID:3936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:32
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"22⤵PID:3924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1800
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"24⤵PID:1032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3716
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"26⤵PID:548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5004
-
-
C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Sonata\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5a4661a1f6e8920ca236a97c5441f8381
SHA16b179049250d9340a8651994ce8daec827c46ffa
SHA256343ed8558c8d00df322897b80a78c8d1387ef1b31c6515ed75aa2ef3965f42d1
SHA5121e87ce8b0a17912933c207946eb4baf3ebf955317267ea7ddaa90cf223010bf5bfbef9ac8573087f61e90c11a53b405012de5146a541d2114109c9a15b775b53
-
Filesize
1KB
MD5546b5e0d077a02e22b1727a551403d08
SHA1c3bace2d5b1565b243b600cce9f101e12992cf98
SHA2564a54a8043d532a3866f13898f8bcc6624034498a87c0434e5476e196e1bee923
SHA512fad208c27d44ff87785a6504e69a536c46dcc0c2350f1d156ff9475fa4c1f34a18db9ed747e697cd90682213a36822ca84d312dd956b9e5a4f8268f03ab10a40
-
Filesize
1KB
MD5546b5e0d077a02e22b1727a551403d08
SHA1c3bace2d5b1565b243b600cce9f101e12992cf98
SHA2564a54a8043d532a3866f13898f8bcc6624034498a87c0434e5476e196e1bee923
SHA512fad208c27d44ff87785a6504e69a536c46dcc0c2350f1d156ff9475fa4c1f34a18db9ed747e697cd90682213a36822ca84d312dd956b9e5a4f8268f03ab10a40
-
Filesize
236B
MD533c41fd8a36e14fc710adf2a504fc0e0
SHA1d9da50d3a19fb416323241be86540c888eb870e0
SHA256bc4f78b697c2fb058f5c48bd6721af68d1248f126caaaa56a53acf9dc3dc30d9
SHA5121b9cb604f41cd57635c5e05c1854cb52c1bc245a933167e33855436ac26c8f66d04f15bf1f2dbfa57a86f22d54ad7fcea3560776cd59759f59aba54912d1d409
-
Filesize
236B
MD5c106d78489cafa6f138f8d694fda408c
SHA1e270089cb34cfc8f022bd468cdef02e1097be7cd
SHA2569ac4f13a8866248109afafe09d229c35142f8c6ff118a6158be16ba9fb3def56
SHA512faecbaeabf2d70253073d6776ad940b373de201d571758bef5fdac8f976e83d417d867a895cc5d07aec74320ea784f74f1cfeb92ebee572a75a4d447a03c25b7
-
Filesize
236B
MD5cac91028200393da1583d5d7cd476a8a
SHA1b7c3b6ee3c4e512341628f309025469e48cbcde1
SHA256ed255e78fa271c953e05c7169cfd6902db7faab21d8933df2d5997b6b6cc6a64
SHA512309c6cc4a6d52a9ceedd396ec108d6173705f6b305c1e7e4c64d93205a18a72595af58099ac2f214d888d4991693a54d7c8166407e0c5f4ccaae159ee70af110
-
Filesize
236B
MD5224525d905f16b6e66c9c3560c20e125
SHA14f353a81e4b661ae911456f0031ee72e6d9bf8fe
SHA2563e6de5e9f6ba5c9a74ec59b80ce0a66555f8aed03b3fb5a4ef441822219fe8d5
SHA512d163165042817dc17a4c0dc613906bfa05e97bf014a0f428fa0ace27d4db1fc21da250b388ddf097fda0868ca40d7caa6844b550ea85173f13339ff0050add1c
-
Filesize
236B
MD5aabfc6826ed907c30577fb0550535d33
SHA1607cdad000ba6c020ff038b99645b7a29eaab7d0
SHA256e64be2b0f38aa915e15ba5b954d8b7c84f8da1db64305e4ffa4ec3e9ecbcb2c7
SHA51287deb9ae2ee29e9b05de98a8e3e53d1975dc5097608e32e27ce6bd75521ba3cbc086c65c9e40bfa7a764eb91a2e127474de3f0a3cdf8d263ce752deaa5ae096c
-
Filesize
236B
MD58c79b62564eb94981538a311c7d16f1c
SHA16ac9d1bdb51f2c7be8244f860bbb95d75df0d6c5
SHA2565fd3dc70538a124086e0f39a0b76d30e9adfe233b1840125450f9702895b08d4
SHA512dfa1f85d6aeb31f96a361b6af78d49769588b98d189d70d427303062d0dd2f18eccca2a4f4bcdb5d4a2116a5fa6669ac7c1ed17dba1f7bc1dc9e743e86c13981
-
Filesize
236B
MD5b3b258551085a65a1843f48346be0109
SHA1c3c09a5176f0f4997472db649aeefcf5d04ccbf0
SHA256daedebd2797c0e300dc9ca015ee042942057624aaabb6d165507494d53aef969
SHA5123b2d22a04602f4b00f778ce84f6fcb810ef12c1c3272006605e45aa986e3322c4f4ed855a6aa97acb3684681f320a8055a1f784a638f3da8a66a3ae7aed45902
-
Filesize
236B
MD52744af9d8edf26f0a886b75217a8c791
SHA1dcdd3d9063a0300107ab4333dd4971c3243242a3
SHA256ae6378a757271e748c40b8b7258d3f0510868f9df5d56ed77231ee382b5a3f67
SHA512af2798d148f91a703b684d42d629fb7f9c22fce5f95a7101bede2c39e6d42f3158108096879daf8392804fbce218de62559965129a3b332d895b41e9caebf1da
-
Filesize
236B
MD5c3e177b708af3ca7aedbbc46a0db9cf8
SHA1e3e2790dac107bbfea73a66aa102be42fbd5f8f7
SHA25610b3d8cb2aaaafcafee6847821e1bcb14003672b57bcdd4688997520045d3606
SHA5128cb64d578321e5ec4152c1a42766895e2778bb7bfad2ea22191dbf3ac5fa779bbc3782a3c549f11ebc32df05fafa9cd14645b003832d4932c45284dccdfaa52e
-
Filesize
236B
MD5390d598a87ad936ab3ddb0480886faa5
SHA118e733f439cdca9c7951607c14d6c91e1b005c33
SHA2563601d19713fb267cd5337929556ff0b69b9cff821502b5a7cb402b6fd33dde8f
SHA512c7ed92936e8e0925ceaaa6877c0442c99a798014b07e7f7887d96b6c5c90e3ddff5f10462eea00d5546d37a4b036495e544ca54c7793deda822065bc34abaef7
-
Filesize
236B
MD5906ded1cb83900f7b5c4785e4bbf3440
SHA178775f1833066046251254d37df45af75a0767b6
SHA256872a7ba8cd694f41584f89aaa56c94a8d61dee7bdb548f84462a8614330013ac
SHA512b51b88f9d83ddff1dbbf6b054c08743ea668a72e4668a20eb61ff70aea07eeda23ef59495c1fe75c5b9b071ed886f2a63ee66bceb3e16546548d3d7156bcb6a1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478