Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Redline-cr...er.exe
windows7-x64
3Redline-cr...er.exe
windows10-2004-x64
3Redline-cr...db.dll
windows7-x64
1Redline-cr...db.dll
windows10-2004-x64
1Redline-cr...db.dll
windows7-x64
1Redline-cr...db.dll
windows10-2004-x64
1Redline-cr...ks.dll
windows7-x64
1Redline-cr...ks.dll
windows10-2004-x64
1Redline-cr...il.dll
windows7-x64
1Redline-cr...il.dll
windows10-2004-x64
1Redline-cr...ub.exe
windows7-x64
10Redline-cr...ub.exe
windows10-2004-x64
10Redline-cr...st.exe
windows7-x64
3Redline-cr...st.exe
windows10-2004-x64
3Redline-cr...CF.dll
windows7-x64
1Redline-cr...CF.dll
windows10-2004-x64
1Redline-cr...er.exe
windows7-x64
4Redline-cr...er.exe
windows10-2004-x64
4Redline-cr...).docx
windows7-x64
4Redline-cr...).docx
windows10-2004-x64
1Redline-cr...).docx
windows7-x64
4Redline-cr...).docx
windows10-2004-x64
1Redline-cr...el.exe
windows7-x64
10Redline-cr...el.exe
windows10-2004-x64
10Redline-cr...me.exe
windows7-x64
6Redline-cr...me.exe
windows10-2004-x64
6Redline-cr...48.exe
windows7-x64
7Redline-cr...48.exe
windows10-2004-x64
7Redline-cr...ar.exe
windows7-x64
1Redline-cr...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 18:08
Behavioral task
behavioral1
Sample
Redline-crack-by-rzt/Kurome.Builder/Kurome.Builder.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Redline-crack-by-rzt/Kurome.Builder/Kurome.Builder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Redline-crack-by-rzt/Kurome.Builder/Mono.Cecil.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Redline-crack-by-rzt/Kurome.Builder/stub.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Redline-crack-by-rzt/Kurome.Builder/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Redline-crack-by-rzt/Kurome.Host/Kurome.Host.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
Redline-crack-by-rzt/Kurome.Host/Kurome.Host.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Redline-crack-by-rzt/Kurome.Host/Kurome.WCF.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Redline-crack-by-rzt/Kurome.Host/Kurome.WCF.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Redline-crack-by-rzt/Kurome.Loader/Kurome.Loader.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Redline-crack-by-rzt/Kurome.Loader/Kurome.Loader.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/FAQ (English).docx
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/FAQ (English).docx
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/FAQ(RUS).docx
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/FAQ(RUS).docx
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Panel/panel.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Panel/panel.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral26
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
Redline-crack-by-rzt/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Redline-crack-by-rzt/Panel/RedLine_20_2/Panel/panel.exe
-
Size
16.4MB
-
MD5
1246b7d115005ce9fcc96848c5595d72
-
SHA1
fa3777c7fe670cea2a4e8267945c3137091c64b5
-
SHA256
f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78
-
SHA512
5bf90904cf74a8c3775498578d856dd9f4837077928cd7ce24e4a6ccec00827bcfb28c2079498ba682a4f53204d7ad2bb8de2489005c429dc968e75e26d29101
-
SSDEEP
393216:gyOsihmjY/uAKJkDk4x/aQsY3K/jRsBp:FOLhmjY/utek4x/aQsyKLuBp
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5736 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5820 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6092 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 1720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1720 schtasks.exe 32 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral23/memory/4972-3898-0x000000001F3C0000-0x000000001F3DA000-memory.dmp family_redline -
Redline family
-
resource yara_rule behavioral23/memory/2648-21-0x0000000000920000-0x0000000000D5C000-memory.dmp dcrat behavioral23/memory/2648-3983-0x0000000000920000-0x0000000000D5C000-memory.dmp dcrat behavioral23/memory/3036-4006-0x00000000013B0000-0x00000000017EC000-memory.dmp dcrat behavioral23/memory/3036-4015-0x00000000013B0000-0x00000000017EC000-memory.dmp dcrat -
Executes dropped EXE 5 IoCs
pid Process 2648 mssurrogateProvider_protected.exe 2668 Panel.exe 4972 Panel.exe 1200 Process not Found 3036 services.exe -
Loads dropped DLL 6 IoCs
pid Process 2756 panel.exe 2756 panel.exe 2756 panel.exe 2668 Panel.exe 880 cmd.exe 880 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2648 mssurrogateProvider_protected.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 2648 mssurrogateProvider_protected.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 4972 Panel.exe 3036 services.exe 3036 services.exe 3036 services.exe 3036 services.exe 3036 services.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Defender\ja-JP\c5b4cb5e9653cc mssurrogateProvider_protected.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe mssurrogateProvider_protected.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\101b941d020240 mssurrogateProvider_protected.exe File created C:\Program Files\Windows Defender\ja-JP\services.exe mssurrogateProvider_protected.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\inf\TermService\0409\OSPPSVC.exe mssurrogateProvider_protected.exe File opened for modification C:\Windows\inf\TermService\0409\OSPPSVC.exe mssurrogateProvider_protected.exe File created C:\Windows\inf\TermService\0409\1610b97d3ab4a7 mssurrogateProvider_protected.exe File created C:\Windows\twain_32\smss.exe mssurrogateProvider_protected.exe File created C:\Windows\twain_32\69ddcba757bf72 mssurrogateProvider_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language panel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssurrogateProvider_protected.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2004 schtasks.exe 2192 schtasks.exe 484 schtasks.exe 1572 schtasks.exe 1232 schtasks.exe 2988 schtasks.exe 5736 schtasks.exe 2108 schtasks.exe 2228 schtasks.exe 2804 schtasks.exe 2100 schtasks.exe 888 schtasks.exe 4400 schtasks.exe 5820 schtasks.exe 6092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 mssurrogateProvider_protected.exe 2668 Panel.exe 2668 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 2668 Panel.exe 4972 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 3036 services.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe 2668 Panel.exe 4972 Panel.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2668 Panel.exe Token: SeDebugPrivilege 2648 mssurrogateProvider_protected.exe Token: SeDebugPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: SeDebugPrivilege 3036 services.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe Token: 33 4972 Panel.exe Token: SeIncBasePriorityPrivilege 4972 Panel.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2648 mssurrogateProvider_protected.exe 3036 services.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2648 2756 panel.exe 30 PID 2756 wrote to memory of 2648 2756 panel.exe 30 PID 2756 wrote to memory of 2648 2756 panel.exe 30 PID 2756 wrote to memory of 2648 2756 panel.exe 30 PID 2756 wrote to memory of 2668 2756 panel.exe 31 PID 2756 wrote to memory of 2668 2756 panel.exe 31 PID 2756 wrote to memory of 2668 2756 panel.exe 31 PID 2756 wrote to memory of 2668 2756 panel.exe 31 PID 2668 wrote to memory of 4972 2668 Panel.exe 39 PID 2668 wrote to memory of 4972 2668 Panel.exe 39 PID 2668 wrote to memory of 4972 2668 Panel.exe 39 PID 2648 wrote to memory of 880 2648 mssurrogateProvider_protected.exe 49 PID 2648 wrote to memory of 880 2648 mssurrogateProvider_protected.exe 49 PID 2648 wrote to memory of 880 2648 mssurrogateProvider_protected.exe 49 PID 2648 wrote to memory of 880 2648 mssurrogateProvider_protected.exe 49 PID 880 wrote to memory of 1252 880 cmd.exe 51 PID 880 wrote to memory of 1252 880 cmd.exe 51 PID 880 wrote to memory of 1252 880 cmd.exe 51 PID 880 wrote to memory of 1252 880 cmd.exe 51 PID 1252 wrote to memory of 1728 1252 w32tm.exe 52 PID 1252 wrote to memory of 1728 1252 w32tm.exe 52 PID 1252 wrote to memory of 1728 1252 w32tm.exe 52 PID 1252 wrote to memory of 1728 1252 w32tm.exe 52 PID 880 wrote to memory of 3036 880 cmd.exe 53 PID 880 wrote to memory of 3036 880 cmd.exe 53 PID 880 wrote to memory of 3036 880 cmd.exe 53 PID 880 wrote to memory of 3036 880 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PFUyiEWIAf.bat"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1728
-
-
-
C:\Program Files\Windows Defender\ja-JP\services.exe"C:\Program Files\Windows Defender\ja-JP\services.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\TermService\0409\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\TermService\0409\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\twain_32\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD564fff7c0855d0c15a95c964bd1141c3d
SHA1a741f8b96384651ca0fd567b73ab74fb164c6f3d
SHA256763cb4ccafb9798ca071c6da90c2b17a50adf82dbe4fdd1c4b8bcf450b05f32e
SHA5121898638a8333bc84a413e57c9082ba537b626616236648d8f477cc086f6ae8a7179245696a3ba8e275cd29076902911d1e701dfe402da7db07326d71ea99a752
-
Filesize
9.3MB
MD5f4e19b67ef27af1434151a512860574e
SHA156304fc2729974124341e697f3b21c84a8dd242a
SHA256c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
SHA512a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
Filesize
1.5MB
MD5fcbf03d90d4e9ce80f575452266e71d1
SHA11b067d0e057db189c71b2f7ac4ee2483ebaf0fa7
SHA2562ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73
SHA5129ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380