Analysis
-
max time kernel
98s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 17:09
Behavioral task
behavioral1
Sample
Dox_tool.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Dox_tool.exe
Resource
win10v2004-20240709-en
General
-
Target
Dox_tool.exe
-
Size
1.7MB
-
MD5
276b2bfee53d4a1bd9b6ea4d2f1b7dda
-
SHA1
675296357dee37115c193e31fac2de25964f5270
-
SHA256
d9f6c68201892bafc05114797bcfe7d38d14e0d33604fa2b987cd9fb10b0606f
-
SHA512
58f68ce2fa13fd24bc9d93439560d55fc1121eb2ed949f4b9cbcf6aaaf9363ed55803f1a3714c1a171c2b9c7311aae23867624ea8e0987f3108f0a14199324c3
-
SSDEEP
24576:U2G/nvxW3Ww0tlRnL691WiZw7xxf2sOQY6/8YHz4m5LG+sn501TW4l/KXFUO9RZQ:UbA30lBL6e7Xjc4euy4l/KXFU6Ih9
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2932 schtasks.exe -
Processes:
resource yara_rule \webhostDll\hyperAgent.exe dcrat behavioral1/memory/2768-13-0x0000000000C30000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/2772-62-0x00000000003D0000-0x0000000000540000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
hyperAgent.exelsass.exepid process 2768 hyperAgent.exe 2772 lsass.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 584 cmd.exe 584 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ipinfo.io 7 ipinfo.io -
Drops file in Program Files directory 13 IoCs
Processes:
hyperAgent.exedescription ioc process File opened for modification C:\Program Files (x86)\Uninstall Information\Idle.exe hyperAgent.exe File created C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe hyperAgent.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\1610b97d3ab4a7 hyperAgent.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 hyperAgent.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe hyperAgent.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe hyperAgent.exe File created C:\Program Files\Uninstall Information\lsass.exe hyperAgent.exe File created C:\Program Files (x86)\Uninstall Information\Idle.exe hyperAgent.exe File created C:\Program Files\VideoLAN\VLC\24dbde2999530e hyperAgent.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\1610b97d3ab4a7 hyperAgent.exe File created C:\Program Files (x86)\Uninstall Information\6ccacd8608530f hyperAgent.exe File created C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe hyperAgent.exe File created C:\Program Files\Windows Sidebar\de-DE\f3b6ecef712a24 hyperAgent.exe -
Drops file in Windows directory 7 IoCs
Processes:
hyperAgent.exedescription ioc process File created C:\Windows\Downloaded Program Files\WMIADAP.exe hyperAgent.exe File created C:\Windows\Downloaded Program Files\75a57c1bdf437c hyperAgent.exe File created C:\Windows\DigitalLocker\de-DE\conhost.exe hyperAgent.exe File created C:\Windows\DigitalLocker\de-DE\088424020bedd6 hyperAgent.exe File created C:\Windows\Vss\Writers\System\OSPPSVC.exe hyperAgent.exe File created C:\Windows\Vss\Writers\System\1610b97d3ab4a7 hyperAgent.exe File created C:\Windows\CSC\v2.0.6\audiodg.exe hyperAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
lsass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1092 schtasks.exe 2388 schtasks.exe 1848 schtasks.exe 2684 schtasks.exe 876 schtasks.exe 1664 schtasks.exe 2044 schtasks.exe 860 schtasks.exe 2000 schtasks.exe 1076 schtasks.exe 2516 schtasks.exe 1492 schtasks.exe 1048 schtasks.exe 1436 schtasks.exe 992 schtasks.exe 2444 schtasks.exe 2836 schtasks.exe 1088 schtasks.exe 1260 schtasks.exe 2376 schtasks.exe 2524 schtasks.exe 2168 schtasks.exe 3020 schtasks.exe 1060 schtasks.exe 1712 schtasks.exe 2124 schtasks.exe 1832 schtasks.exe 536 schtasks.exe 2616 schtasks.exe 1296 schtasks.exe 1748 schtasks.exe 2232 schtasks.exe 2960 schtasks.exe 1868 schtasks.exe 812 schtasks.exe 2928 schtasks.exe 2672 schtasks.exe 2468 schtasks.exe 1660 schtasks.exe 1528 schtasks.exe 1500 schtasks.exe 1932 schtasks.exe 808 schtasks.exe 2240 schtasks.exe 576 schtasks.exe 2748 schtasks.exe 900 schtasks.exe 2404 schtasks.exe 1676 schtasks.exe 1800 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
hyperAgent.exelsass.exechrome.exepid process 2768 hyperAgent.exe 2768 hyperAgent.exe 2768 hyperAgent.exe 2768 hyperAgent.exe 2768 hyperAgent.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2772 lsass.exe 2852 chrome.exe 2852 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 2772 lsass.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
hyperAgent.exelsass.exechrome.exedescription pid process Token: SeDebugPrivilege 2768 hyperAgent.exe Token: SeDebugPrivilege 2772 lsass.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe Token: SeShutdownPrivilege 2852 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe 2852 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dox_tool.exeWScript.execmd.exehyperAgent.execmd.exechrome.exedescription pid process target process PID 2564 wrote to memory of 2604 2564 Dox_tool.exe WScript.exe PID 2564 wrote to memory of 2604 2564 Dox_tool.exe WScript.exe PID 2564 wrote to memory of 2604 2564 Dox_tool.exe WScript.exe PID 2564 wrote to memory of 2604 2564 Dox_tool.exe WScript.exe PID 2604 wrote to memory of 584 2604 WScript.exe cmd.exe PID 2604 wrote to memory of 584 2604 WScript.exe cmd.exe PID 2604 wrote to memory of 584 2604 WScript.exe cmd.exe PID 2604 wrote to memory of 584 2604 WScript.exe cmd.exe PID 584 wrote to memory of 2768 584 cmd.exe hyperAgent.exe PID 584 wrote to memory of 2768 584 cmd.exe hyperAgent.exe PID 584 wrote to memory of 2768 584 cmd.exe hyperAgent.exe PID 584 wrote to memory of 2768 584 cmd.exe hyperAgent.exe PID 2768 wrote to memory of 2424 2768 hyperAgent.exe cmd.exe PID 2768 wrote to memory of 2424 2768 hyperAgent.exe cmd.exe PID 2768 wrote to memory of 2424 2768 hyperAgent.exe cmd.exe PID 2424 wrote to memory of 2776 2424 cmd.exe w32tm.exe PID 2424 wrote to memory of 2776 2424 cmd.exe w32tm.exe PID 2424 wrote to memory of 2776 2424 cmd.exe w32tm.exe PID 2424 wrote to memory of 2772 2424 cmd.exe lsass.exe PID 2424 wrote to memory of 2772 2424 cmd.exe lsass.exe PID 2424 wrote to memory of 2772 2424 cmd.exe lsass.exe PID 2852 wrote to memory of 2908 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 2908 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 2908 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1364 2852 chrome.exe chrome.exe PID 2852 wrote to memory of 1620 2852 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe"C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\webhostDll\fNHZv.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\webhostDll\0290EbjbBDdweKiQhFfH.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\webhostDll\hyperAgent.exe"C:\webhostDll\hyperAgent.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X52UoDroZs.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2776
-
-
C:\Program Files\Uninstall Information\lsass.exe"C:\Program Files\Uninstall Information\lsass.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\webhostDll\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\webhostDll\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\webhostDll\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\webhostDll\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\webhostDll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\webhostDll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef529758,0x7feef529768,0x7feef5297782⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:22⤵PID:1364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:82⤵PID:1620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:82⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:12⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:12⤵PID:2308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1976 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:22⤵PID:1296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:12⤵PID:1504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:82⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3868 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:12⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD57818f880c854b79de33f3184e210709f
SHA15b578dda5e94f6981dacb1ed693cd81bd5e9297e
SHA25691644aaa892e5a72b8ebad7771e180157e67cdd5451741ed46020e4db0fbe4a6
SHA512eb4115dd293ae0e0316a7218ed3b9a545ce203accde4b9fb11c8d287fa2d07c03f9e1f1574ab17f4a63232afd0ecfca71f68003f503dcde05d9dcb6223b5c894
-
Filesize
361B
MD5623007566ca641bf4893d4e096ac5636
SHA15bd2ddb7b1ca1d859c539f94925eeac0d51039c1
SHA256b890148cb710a36bdd91a1a474d017683743004de8a4089720a9a1bd64413ed9
SHA512f6a2fb37029c82f26f895822cc26d0f148d9cfa2d07361453b28e0de0f90e66cb234e93d903db27fdfb7b5be13ecc5f4504e58e80570e1cc334bc64136de4bc4
-
Filesize
5KB
MD5ba389e081bf8a073713085d63b51c286
SHA1a1fce0898e0df640d5e2611d820acae9f04db555
SHA2562024dff6ebf6eeed4cbf19cdeb4df10231781ebbf5e96ab26b15d623a7f1acf2
SHA51200052fa635d8facfe68a07e5578c02ba5aadb2c3069b308a6c0f9e50abf3c8cfc6e8c71859a2acfd84b63a7cc80ad4d61b464d78706543c9bd06fa23f4278746
-
Filesize
5KB
MD5c00e15872208a46ebe8f4f2dbc18146f
SHA11e4341a675a818e16ba602a9fe7c8e50b4370568
SHA256428c064f7d6b33c45e275b6e602b87aead5fa87f1b31a2abc28867f6ab89f818
SHA51275614c807a22d9462102c7089fc79dd77e8ce8facba19a0b728654fbc973af1d648f8d50ff2d8362f51b85108bf0e4e2df700f166aa3351ff0774f638d284f01
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
213B
MD5a450c5e370faf1202ffe2ea5b26962f1
SHA14bcab27793c809291a73420fad0598093b7c63d7
SHA2569f2b554faf128f13649f39cf21976178cff85753c66bf3e55ee0e4e3c39da8f1
SHA5122a9a2cf2d1ee10b76c0d903050ac73668eba82a608447ff762aae2600ef43f9dbc4777493eb01513de9ca11699eb4bbd716ee0ceca95bd1d3d5f50963af51afc
-
Filesize
30B
MD5810733c00786845997b0aae47ea1fa35
SHA15397cadacb69da27c8720564529b79c4626f3191
SHA25648fa19bdbe1aea2041d907aa0fbd832efca4b1c0f809e594bf35d4f48c2940f5
SHA51277f0c9db49bce933c2f7c4293352a0626f2997fa417043e10e50f9b6c40fea5e744eb03e7d8850cbff34c1bf3e05f8c3b3637c632ce0c878bd61b7dfb3f6fe1d
-
Filesize
207B
MD5cc0d1e3fc198a8e30655575eb2fc1013
SHA12adc5a011ec323cfedc33b33e9939befa69ae8fc
SHA25650505261daaf6ed3d589b87313bd71b4fdc0786a9645ef2c684e2a9e3680cff3
SHA5120e4f49fd4cce7ae8594733bc7b492ea5ed1b94aeee9af7f9e170e570c93e50c0cd84d2f350cf612d0fdd7adfdc31fadb8fc039b8ff5d1f92ece227fd124b8416
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
MD5741ed82d8e221881bfdddfce745bb615
SHA1b8c6122c5403419d2558550a46e6f8735117256b
SHA256a9c733108faf9fde17095aa2ff04ac2af0c993c7845e964af6e943cd4230e86b
SHA5125e9706608893a74405b24c34f9248acf3584a2a09fea1dd64d9a5e9ebc3a6721dafbd4fb2a524a09a76589eadf91bb2510ee37e3678bf9b9f8f417e2b94fda2b