Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 07:11
Behavioral task
behavioral1
Sample
76552F8BD7533C66BC900C75ABDC0EA7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
76552F8BD7533C66BC900C75ABDC0EA7.exe
Resource
win10v2004-20240709-en
General
-
Target
76552F8BD7533C66BC900C75ABDC0EA7.exe
-
Size
1.2MB
-
MD5
76552f8bd7533c66bc900c75abdc0ea7
-
SHA1
9a682fc922b82e6896c9892efb85687586963355
-
SHA256
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
-
SHA512
4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77
-
SSDEEP
24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2652 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat behavioral1/memory/2508-12-0x0000000000400000-0x000000000053F000-memory.dmp dcrat \surrogatereviewRuntimebrokerMonitor\hostNet.exe dcrat behavioral1/memory/2644-27-0x00000000012F0000-0x00000000013C6000-memory.dmp dcrat behavioral1/memory/2356-59-0x0000000000E20000-0x0000000000EF6000-memory.dmp dcrat -
Executes dropped EXE 4 IoCs
Processes:
CrackLauncher.exeDCRatBuild.exehostNet.execonhost.exepid process 2172 CrackLauncher.exe 2712 DCRatBuild.exe 2644 hostNet.exe 2356 conhost.exe -
Loads dropped DLL 5 IoCs
Processes:
76552F8BD7533C66BC900C75ABDC0EA7.execmd.exepid process 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe 2948 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe 2800 cmd.exe 2800 cmd.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 5 ipinfo.io -
Drops file in Program Files directory 11 IoCs
Processes:
hostNet.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7 hostNet.exe File created C:\Program Files (x86)\Windows Defender\explorer.exe hostNet.exe File created C:\Program Files\Windows Sidebar\de-DE\6cb0b6c459d5d3 hostNet.exe File created C:\Program Files\Windows Defender\es-ES\088424020bedd6 hostNet.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe hostNet.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe hostNet.exe File created C:\Program Files (x86)\Windows Defender\7a0fd90576e088 hostNet.exe File created C:\Program Files\Windows Media Player\it-IT\hostNet.exe hostNet.exe File created C:\Program Files\Windows Media Player\it-IT\051ac21cd939b1 hostNet.exe File created C:\Program Files\Windows Sidebar\de-DE\dwm.exe hostNet.exe File created C:\Program Files\Windows Defender\es-ES\conhost.exe hostNet.exe -
Drops file in Windows directory 2 IoCs
Processes:
hostNet.exedescription ioc process File created C:\Windows\de-DE\conhost.exe hostNet.exe File created C:\Windows\de-DE\088424020bedd6 hostNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
CrackLauncher.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347 CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\URL Protocol CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open CrackLauncher.exe -
Processes:
conhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 conhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 928 schtasks.exe 2044 schtasks.exe 2680 schtasks.exe 1500 schtasks.exe 2392 schtasks.exe 264 schtasks.exe 2552 schtasks.exe 2008 schtasks.exe 2516 schtasks.exe 2396 schtasks.exe 1876 schtasks.exe 1692 schtasks.exe 1900 schtasks.exe 2576 schtasks.exe 2988 schtasks.exe 1684 schtasks.exe 2476 schtasks.exe 1780 schtasks.exe 792 schtasks.exe 2348 schtasks.exe 2720 schtasks.exe 2168 schtasks.exe 2968 schtasks.exe 2340 schtasks.exe 2848 schtasks.exe 2660 schtasks.exe 2124 schtasks.exe 2592 schtasks.exe 3036 schtasks.exe 1528 schtasks.exe 2920 schtasks.exe 2984 schtasks.exe 1664 schtasks.exe 2252 schtasks.exe 1132 schtasks.exe 1280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
hostNet.execonhost.exepid process 2644 hostNet.exe 2644 hostNet.exe 2644 hostNet.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe 2356 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 2356 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostNet.execonhost.exedescription pid process Token: SeDebugPrivilege 2644 hostNet.exe Token: SeDebugPrivilege 2356 conhost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
76552F8BD7533C66BC900C75ABDC0EA7.exeCrackLauncher.exeDCRatBuild.exeWScript.execmd.exehostNet.execmd.exedescription pid process target process PID 2508 wrote to memory of 2172 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 2508 wrote to memory of 2172 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 2508 wrote to memory of 2172 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 2508 wrote to memory of 2172 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 2508 wrote to memory of 2712 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 2508 wrote to memory of 2712 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 2508 wrote to memory of 2712 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 2508 wrote to memory of 2712 2508 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 2172 wrote to memory of 2768 2172 CrackLauncher.exe cmd.exe PID 2172 wrote to memory of 2768 2172 CrackLauncher.exe cmd.exe PID 2172 wrote to memory of 2768 2172 CrackLauncher.exe cmd.exe PID 2712 wrote to memory of 2872 2712 DCRatBuild.exe WScript.exe PID 2712 wrote to memory of 2872 2712 DCRatBuild.exe WScript.exe PID 2712 wrote to memory of 2872 2712 DCRatBuild.exe WScript.exe PID 2712 wrote to memory of 2872 2712 DCRatBuild.exe WScript.exe PID 2872 wrote to memory of 2800 2872 WScript.exe cmd.exe PID 2872 wrote to memory of 2800 2872 WScript.exe cmd.exe PID 2872 wrote to memory of 2800 2872 WScript.exe cmd.exe PID 2872 wrote to memory of 2800 2872 WScript.exe cmd.exe PID 2800 wrote to memory of 2644 2800 cmd.exe hostNet.exe PID 2800 wrote to memory of 2644 2800 cmd.exe hostNet.exe PID 2800 wrote to memory of 2644 2800 cmd.exe hostNet.exe PID 2800 wrote to memory of 2644 2800 cmd.exe hostNet.exe PID 2644 wrote to memory of 592 2644 hostNet.exe cmd.exe PID 2644 wrote to memory of 592 2644 hostNet.exe cmd.exe PID 2644 wrote to memory of 592 2644 hostNet.exe cmd.exe PID 592 wrote to memory of 1104 592 cmd.exe w32tm.exe PID 592 wrote to memory of 1104 592 cmd.exe w32tm.exe PID 592 wrote to memory of 1104 592 cmd.exe w32tm.exe PID 592 wrote to memory of 2356 592 cmd.exe conhost.exe PID 592 wrote to memory of 2356 592 cmd.exe conhost.exe PID 592 wrote to memory of 2356 592 cmd.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZdpTwG6ox.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1104
-
C:\surrogatereviewRuntimebrokerMonitor\conhost.exe"C:\surrogatereviewRuntimebrokerMonitor\conhost.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNet" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD547e49721ea8091840d99555c83649513
SHA184882c7331314dc1de39b4839eaca0b89c9b62c9
SHA256ce915c24d44041174160af04fb6dd3e3b6879946626b6c9c95f300870702b4f7
SHA5127a9b65a257b3ad33a18ccadf1a20efeda83753143c12df173c561a9d9bad93a0b9608ace77f82a4a99d0b11d4b636d51de791e6588cc03b6c2e380495d43766a
-
Filesize
237B
MD567ef89a77b03bfa1932cc54db6dce88f
SHA1a2afed6d40b91cb6d48a7023fea05c0853437050
SHA25667b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30
SHA5127bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652
-
Filesize
52B
MD5fbbcc9f113a6c0c84210f8550cffca28
SHA1b3e94b80d166ad9c71260ce9674b7edd5d00aa25
SHA256fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f
SHA512f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8
-
Filesize
102KB
MD5c137c5f5287d73a94d55bc18df238303
SHA195b4b01775bea14feaaa462c98d969eb81696d2c
SHA256d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5
-
Filesize
1.1MB
MD5d5073e19a3ad042b1f759bcd13a65a3f
SHA19df8b87566284b169e56ee4a8b78d72ce2e3e5aa
SHA25628aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b
SHA51289c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e
-
Filesize
827KB
MD5bc8b1b7e6c72022131728dd99627e1d3
SHA10dcd162ee7a24204fb032b5e02d3f99c185e82bf
SHA25660e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a
SHA5129dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340