Analysis
-
max time kernel
1798s -
max time network
1805s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-07-2024 14:31
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Nursultan.exe
Resource
win11-20240508-en
General
-
Target
Nursultan.exe
-
Size
1.4MB
-
MD5
1b6293c7f0dfed044b0eba8b98b0faff
-
SHA1
e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a
-
SHA256
fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8
-
SHA512
694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5
-
SSDEEP
24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 2064 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4872-1-0x0000000000A00000-0x0000000000B6C000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\svchost.exe dcrat behavioral2/memory/2836-32-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp dcrat C:\Hypercommon\ServercrtDll.exe dcrat behavioral2/memory/5004-39-0x00000000000B0000-0x0000000000186000-memory.dmp dcrat behavioral2/memory/2836-63-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp dcrat -
Executes dropped EXE 24 IoCs
Processes:
svchost.exeexplorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exedllhost.exeRuntimeBroker.exeservices.exeSppExtComObj.exedllhost.exepid process 1544 svchost.exe 2836 explorer.exe 5004 ServercrtDll.exe 3952 cmd.exe 1164 dllhost.exe 5004 SppExtComObj.exe 1456 services.exe 3504 dllhost.exe 3172 cmd.exe 1960 SppExtComObj.exe 4388 sppsvc.exe 4716 RuntimeBroker.exe 4692 dllhost.exe 840 SppExtComObj.exe 4196 services.exe 5000 dllhost.exe 4780 cmd.exe 3280 SppExtComObj.exe 1416 sppsvc.exe 4964 dllhost.exe 3448 RuntimeBroker.exe 4724 services.exe 2696 SppExtComObj.exe 1356 dllhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ServercrtDll.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe ServercrtDll.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\e1ef82546f0b02 ServercrtDll.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe ServercrtDll.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\9e8d7a4ca61bd9 ServercrtDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2564 schtasks.exe 3000 schtasks.exe 4780 schtasks.exe 4724 schtasks.exe 3860 schtasks.exe 4904 schtasks.exe 384 schtasks.exe 3004 schtasks.exe 1164 schtasks.exe 4544 schtasks.exe 3584 schtasks.exe 4340 schtasks.exe 3080 schtasks.exe 3508 schtasks.exe 3956 schtasks.exe 2004 schtasks.exe 3008 schtasks.exe 4280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
explorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.execmd.exeSppExtComObj.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.execmd.exeSppExtComObj.exedllhost.exeRuntimeBroker.exeservices.exepid process 2836 explorer.exe 2836 explorer.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 5004 ServercrtDll.exe 3952 cmd.exe 1164 dllhost.exe 5004 SppExtComObj.exe 1456 services.exe 3172 cmd.exe 1960 SppExtComObj.exe 4716 RuntimeBroker.exe 4692 dllhost.exe 840 SppExtComObj.exe 4196 services.exe 4780 cmd.exe 3280 SppExtComObj.exe 4964 dllhost.exe 3448 RuntimeBroker.exe 4724 services.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
explorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exedllhost.exeRuntimeBroker.exeservices.exeSppExtComObj.exedllhost.exedescription pid process Token: SeDebugPrivilege 2836 explorer.exe Token: SeDebugPrivilege 5004 ServercrtDll.exe Token: SeDebugPrivilege 3952 cmd.exe Token: SeDebugPrivilege 1164 dllhost.exe Token: SeDebugPrivilege 5004 SppExtComObj.exe Token: SeDebugPrivilege 1456 services.exe Token: SeDebugPrivilege 3504 dllhost.exe Token: SeDebugPrivilege 3172 cmd.exe Token: SeDebugPrivilege 1960 SppExtComObj.exe Token: SeDebugPrivilege 4388 sppsvc.exe Token: SeDebugPrivilege 4716 RuntimeBroker.exe Token: SeDebugPrivilege 4692 dllhost.exe Token: SeDebugPrivilege 840 SppExtComObj.exe Token: SeDebugPrivilege 4196 services.exe Token: SeDebugPrivilege 5000 dllhost.exe Token: SeDebugPrivilege 4780 cmd.exe Token: SeDebugPrivilege 3280 SppExtComObj.exe Token: SeDebugPrivilege 1416 sppsvc.exe Token: SeDebugPrivilege 4964 dllhost.exe Token: SeDebugPrivilege 3448 RuntimeBroker.exe Token: SeDebugPrivilege 4724 services.exe Token: SeDebugPrivilege 2696 SppExtComObj.exe Token: SeDebugPrivilege 1356 dllhost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Nursultan.exesvchost.exeWScript.execmd.exeServercrtDll.exedescription pid process target process PID 4872 wrote to memory of 1544 4872 Nursultan.exe svchost.exe PID 4872 wrote to memory of 1544 4872 Nursultan.exe svchost.exe PID 4872 wrote to memory of 1544 4872 Nursultan.exe svchost.exe PID 4872 wrote to memory of 2836 4872 Nursultan.exe explorer.exe PID 4872 wrote to memory of 2836 4872 Nursultan.exe explorer.exe PID 1544 wrote to memory of 4560 1544 svchost.exe WScript.exe PID 1544 wrote to memory of 4560 1544 svchost.exe WScript.exe PID 1544 wrote to memory of 4560 1544 svchost.exe WScript.exe PID 4560 wrote to memory of 1240 4560 WScript.exe cmd.exe PID 4560 wrote to memory of 1240 4560 WScript.exe cmd.exe PID 4560 wrote to memory of 1240 4560 WScript.exe cmd.exe PID 1240 wrote to memory of 5004 1240 cmd.exe ServercrtDll.exe PID 1240 wrote to memory of 5004 1240 cmd.exe ServercrtDll.exe PID 5004 wrote to memory of 3952 5004 ServercrtDll.exe cmd.exe PID 5004 wrote to memory of 3952 5004 ServercrtDll.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Hypercommon\ServercrtDll.exe"C:\Hypercommon\ServercrtDll.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Hypercommon\cmd.exe"C:\Hypercommon\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Hypercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Hypercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Hypercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Recovery\WindowsRE\services.exeC:\Recovery\WindowsRE\services.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
C:\Hypercommon\cmd.exeC:\Hypercommon\cmd.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Recovery\WindowsRE\services.exeC:\Recovery\WindowsRE\services.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Hypercommon\cmd.exeC:\Hypercommon\cmd.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Recovery\WindowsRE\services.exeC:\Recovery\WindowsRE\services.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Users\Public\dllhost.exeC:\Users\Public\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD5801d5740c780d09b1cc6d971ce8b280f
SHA1c7188e6f5998405d9dcbe83ce5d29267861be07d
SHA256b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f
SHA5123296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49
-
Filesize
33B
MD51af82b77403306ff43f68bf7a0786c52
SHA1730a3bd4b524ffa024657c1fc27ffd82e25f3f81
SHA256e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96
SHA5120e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1
-
Filesize
201B
MD50f314eb5d52ce9cd85095eadff4f908c
SHA1272d25d43f789dd5fad479ab31e96214f82302b3
SHA256f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89
SHA512471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
303KB
MD57d9282b8529bbb4ac06a3994fbcd0622
SHA1d38d467c5e533f3bc247b6ed245fb08412a479d7
SHA256ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9
SHA512aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5
-
Filesize
1.1MB
MD53ee661f4a9794c72a91fa1f783f54969
SHA135780f52351da65b60cc63b302018950cbfe849f
SHA256ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51
SHA5120b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde