Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
2d756772bc00e5778d794c107358ddf7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2d756772bc00e5778d794c107358ddf7.exe
Resource
win10v2004-20241007-en
General
-
Target
2d756772bc00e5778d794c107358ddf7.exe
-
Size
1.9MB
-
MD5
2d756772bc00e5778d794c107358ddf7
-
SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3
-
SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
-
SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
SSDEEP
24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\"" 2d756772bc00e5778d794c107358ddf7.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 2124 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2124 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1712 powershell.exe 2168 powershell.exe 1520 powershell.exe 1532 powershell.exe 1572 powershell.exe 208 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2d756772bc00e5778d794c107358ddf7.exe -
Executes dropped EXE 1 IoCs
pid Process 972 dwm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows NT\\sysmon.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" 2d756772bc00e5778d794c107358ddf7.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ipinfo.io 14 ipinfo.io 15 ipinfo.io 42 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\lhkpi-.exe csc.exe File created \??\c:\Windows\System32\CSCE9775499A1F341F49FFB42D3A3EE0E6.TMP csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\38384e6a620884 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files (x86)\Windows NT\sysmon.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files (x86)\Windows NT\121e5b5079f7c0 2d756772bc00e5778d794c107358ddf7.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\WaaS\services\SppExtComObj.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Windows\ServiceState\EventLog\Data\RuntimeBroker.exe 2d756772bc00e5778d794c107358ddf7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 2d756772bc00e5778d794c107358ddf7.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3640 schtasks.exe 1524 schtasks.exe 4136 schtasks.exe 3332 schtasks.exe 2120 schtasks.exe 4152 schtasks.exe 4144 schtasks.exe 4004 schtasks.exe 4912 schtasks.exe 4736 schtasks.exe 4548 schtasks.exe 2388 schtasks.exe 4336 schtasks.exe 2560 schtasks.exe 4724 schtasks.exe 2092 schtasks.exe 3724 schtasks.exe 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe 3696 2d756772bc00e5778d794c107358ddf7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 972 dwm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3696 2d756772bc00e5778d794c107358ddf7.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 972 dwm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3696 wrote to memory of 2032 3696 2d756772bc00e5778d794c107358ddf7.exe 90 PID 3696 wrote to memory of 2032 3696 2d756772bc00e5778d794c107358ddf7.exe 90 PID 2032 wrote to memory of 2884 2032 csc.exe 92 PID 2032 wrote to memory of 2884 2032 csc.exe 92 PID 3696 wrote to memory of 1712 3696 2d756772bc00e5778d794c107358ddf7.exe 111 PID 3696 wrote to memory of 1712 3696 2d756772bc00e5778d794c107358ddf7.exe 111 PID 3696 wrote to memory of 2168 3696 2d756772bc00e5778d794c107358ddf7.exe 112 PID 3696 wrote to memory of 2168 3696 2d756772bc00e5778d794c107358ddf7.exe 112 PID 3696 wrote to memory of 1520 3696 2d756772bc00e5778d794c107358ddf7.exe 113 PID 3696 wrote to memory of 1520 3696 2d756772bc00e5778d794c107358ddf7.exe 113 PID 3696 wrote to memory of 1532 3696 2d756772bc00e5778d794c107358ddf7.exe 114 PID 3696 wrote to memory of 1532 3696 2d756772bc00e5778d794c107358ddf7.exe 114 PID 3696 wrote to memory of 1572 3696 2d756772bc00e5778d794c107358ddf7.exe 115 PID 3696 wrote to memory of 1572 3696 2d756772bc00e5778d794c107358ddf7.exe 115 PID 3696 wrote to memory of 208 3696 2d756772bc00e5778d794c107358ddf7.exe 116 PID 3696 wrote to memory of 208 3696 2d756772bc00e5778d794c107358ddf7.exe 116 PID 3696 wrote to memory of 1896 3696 2d756772bc00e5778d794c107358ddf7.exe 122 PID 3696 wrote to memory of 1896 3696 2d756772bc00e5778d794c107358ddf7.exe 122 PID 1896 wrote to memory of 3036 1896 cmd.exe 125 PID 1896 wrote to memory of 3036 1896 cmd.exe 125 PID 1896 wrote to memory of 3404 1896 cmd.exe 126 PID 1896 wrote to memory of 3404 1896 cmd.exe 126 PID 1896 wrote to memory of 972 1896 cmd.exe 130 PID 1896 wrote to memory of 972 1896 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ud3xlmm\0ud3xlmm.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8EB.tmp" "c:\Windows\System32\CSCE9775499A1F341F49FFB42D3A3EE0E6.TMP"3⤵PID:2884
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gD3w79rvHf.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3036
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3404
-
-
C:\Users\Default\Pictures\dwm.exe"C:\Users\Default\Pictures\dwm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
1KB
MD5d3f29229a436468d08bcd8681d2c22c4
SHA18dba7856aa721b3689bb1ef1d4378e1ba7ff70f8
SHA2563760fa90a828ed8d3060e46a01efef3061b14f4a01e76563e448a9ef53304a15
SHA512b8bdb5cc70404fb94a0ee4690adb684a2171085eabc6fbbb14768d8b66ccf68e08221e3a57019040d1cdd03c0fb9ffaf75b71bfc5bf19ef8be76e19ea33902f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
209B
MD59ed8c6c6c24a50affc65ee1488f23528
SHA1c802be19e82c4fa8fab14369c48a57e7c1197255
SHA256f92392be9a1996f34a33c20e33a572fb0e3a0757540d681fcc0fa84858afe2f3
SHA5128cf18997117ba25b529452ace957013306ea8959df810e148618b8178e601533a48a121d418f43689fac2e4981677ab319e1425df3d301d2ec8481129717a72e
-
Filesize
1.9MB
MD52d756772bc00e5778d794c107358ddf7
SHA177229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA51231fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
Filesize
365B
MD58c024e8068db50b3b324eb155ae9ad1c
SHA11f2aa5cddf9ebbbc19f767a0dc2fcf25cf274c72
SHA2569121f0c9175aae080903c02a22392b6a732e7dcec0a344e6c2efe55c5a0c8781
SHA512349cc317bdfd59a220d5fafabe92ca13d4563b532c0f38043c8b27950600035a1cf16e9c79a2b5ce2abea911c4c63d30f6a401cefcbf70b68d6f0e37c872af72
-
Filesize
235B
MD5ac108600f4375570fa6b7bea0bcd3481
SHA1814d96662818d68d147d1806288c1699b9d324a4
SHA256dbf8b634d6c3718fb04937fd72d7cefdd3b3ecc3a99ebf4b84d88e85eb41f66b
SHA512b6532e862aef6f9e6a81d05e1184adb42cde5e659d6ebe7e382ffc20a38431b6bcfb42f237f9c92e8e1f681f2e8060f21217c5dbc62742c17cd4ef1e173a4dce
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc