Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
Resource
win10v2004-20240508-en
General
-
Target
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
-
Size
50.0MB
-
MD5
0b222b4a899979ddf52b634b82368a08
-
SHA1
a07b66cde199d96efb99718b9b7d365036350c29
-
SHA256
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295
-
SHA512
70c8101223e1e5c5b9aec69d756469ba2ca2370cb92bdc28d4990174f9c2f3d93cc1512049d650fa31f1993ddef49da98007552331a05332741497df5b063e51
-
SSDEEP
1572864:WK7C5EpF9PX7uC/mVLJhbWnRdrF10hWNYP02oa:WK7CMrLv0JhbWT/mXs2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" svchost.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2336 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe dcrat \Users\Admin\AppData\Local\Temp\system32\svchost.exe dcrat behavioral1/memory/1984-295-0x0000000000150000-0x00000000001A6000-memory.dmp dcrat behavioral1/memory/2732-440-0x00000000010D0000-0x0000000001126000-memory.dmp dcrat -
Executes dropped EXE 7 IoCs
Processes:
BoosterX.exesvchost.exeintro.exeintro.exesvchost.exelsass.exepid process 2232 BoosterX.exe 2028 svchost.exe 1676 intro.exe 2036 intro.exe 1368 1984 svchost.exe 2732 lsass.exe -
Loads dropped DLL 6 IoCs
Processes:
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exeintro.exeintro.execmd.exepid process 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe 1676 intro.exe 2036 intro.exe 1368 880 cmd.exe 880 cmd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI16762\python310.dll upx behavioral1/memory/2036-145-0x000007FEF25D0000-0x000007FEF2A3E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\winlogon.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\ShellNew\\conhost.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Offline Web Pages\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Offline Web Pages\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\es-ES\\Idle.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\ShellNew\\conhost.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\winlogon.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\es-ES\\Idle.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\System32\sk-SK\lsm.exe svchost.exe File created C:\Windows\System32\sk-SK\101b941d020240 svchost.exe -
Drops file in Program Files directory 12 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files\Windows Portable Devices\cmd.exe svchost.exe File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d svchost.exe File created C:\Program Files\Windows NT\TableTextService\it-IT\75a57c1bdf437c svchost.exe File created C:\Program Files\Windows Journal\ja-JP\spoolsv.exe svchost.exe File created C:\Program Files\Windows Journal\ja-JP\f3b6ecef712a24 svchost.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe svchost.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\101b941d020240 svchost.exe File created C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe svchost.exe File created C:\Program Files\Windows Photo Viewer\it-IT\6203df4a6bafc7 svchost.exe File created C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe svchost.exe File created C:\Program Files (x86)\Windows Media Player\dwm.exe svchost.exe File created C:\Program Files (x86)\Windows Media Player\6cb0b6c459d5d3 svchost.exe -
Drops file in Windows directory 10 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\AppCompat\Programs\taskhost.exe svchost.exe File created C:\Windows\AppCompat\Programs\b75386f1303e64 svchost.exe File created C:\Windows\Offline Web Pages\lsass.exe svchost.exe File created C:\Windows\Offline Web Pages\6203df4a6bafc7 svchost.exe File created C:\Windows\DigitalLocker\winlogon.exe svchost.exe File created C:\Windows\ShellNew\conhost.exe svchost.exe File created C:\Windows\ShellNew\088424020bedd6 svchost.exe File created C:\Windows\es-ES\Idle.exe svchost.exe File created C:\Windows\es-ES\6ccacd8608530f svchost.exe File created C:\Windows\DigitalLocker\cc11b995f2a76d svchost.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\intro.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1912 schtasks.exe 2020 schtasks.exe 2512 schtasks.exe 976 schtasks.exe 2612 schtasks.exe 1104 schtasks.exe 2092 schtasks.exe 2016 schtasks.exe 2588 schtasks.exe 1240 schtasks.exe 2308 schtasks.exe 2868 schtasks.exe 2032 schtasks.exe 900 schtasks.exe 2152 schtasks.exe 1064 schtasks.exe 1700 schtasks.exe 2820 schtasks.exe 2784 schtasks.exe 2704 schtasks.exe 1996 schtasks.exe 2480 schtasks.exe 476 schtasks.exe 2628 schtasks.exe 1092 schtasks.exe 2428 schtasks.exe 1708 schtasks.exe 2972 schtasks.exe 2904 schtasks.exe 2484 schtasks.exe 1744 schtasks.exe 1128 schtasks.exe 1676 schtasks.exe 2892 schtasks.exe 2660 schtasks.exe 1068 schtasks.exe 2012 schtasks.exe 1132 schtasks.exe 2464 schtasks.exe 2672 schtasks.exe 2564 schtasks.exe 2380 schtasks.exe 3008 schtasks.exe 2996 schtasks.exe 1380 schtasks.exe 2472 schtasks.exe 1148 schtasks.exe 2420 schtasks.exe 2000 schtasks.exe 2580 schtasks.exe 2192 schtasks.exe 2452 schtasks.exe 1528 schtasks.exe 1556 schtasks.exe 1564 schtasks.exe 552 schtasks.exe 1456 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exelsass.exepid process 1984 svchost.exe 1984 svchost.exe 1984 svchost.exe 1984 svchost.exe 1984 svchost.exe 2732 lsass.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
BoosterX.exesvchost.exelsass.exedescription pid process Token: SeDebugPrivilege 2232 BoosterX.exe Token: SeDebugPrivilege 1984 svchost.exe Token: SeDebugPrivilege 2732 lsass.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exeintro.exesvchost.exeWScript.execmd.exesvchost.exedescription pid process target process PID 1152 wrote to memory of 2232 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe BoosterX.exe PID 1152 wrote to memory of 2232 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe BoosterX.exe PID 1152 wrote to memory of 2232 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe BoosterX.exe PID 1152 wrote to memory of 2028 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe svchost.exe PID 1152 wrote to memory of 2028 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe svchost.exe PID 1152 wrote to memory of 2028 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe svchost.exe PID 1152 wrote to memory of 2028 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe svchost.exe PID 1152 wrote to memory of 1676 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe schtasks.exe PID 1152 wrote to memory of 1676 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe schtasks.exe PID 1152 wrote to memory of 1676 1152 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe schtasks.exe PID 1676 wrote to memory of 2036 1676 intro.exe intro.exe PID 1676 wrote to memory of 2036 1676 intro.exe intro.exe PID 1676 wrote to memory of 2036 1676 intro.exe intro.exe PID 2028 wrote to memory of 1292 2028 svchost.exe WScript.exe PID 2028 wrote to memory of 1292 2028 svchost.exe WScript.exe PID 2028 wrote to memory of 1292 2028 svchost.exe WScript.exe PID 2028 wrote to memory of 1292 2028 svchost.exe WScript.exe PID 1292 wrote to memory of 880 1292 WScript.exe cmd.exe PID 1292 wrote to memory of 880 1292 WScript.exe cmd.exe PID 1292 wrote to memory of 880 1292 WScript.exe cmd.exe PID 1292 wrote to memory of 880 1292 WScript.exe cmd.exe PID 880 wrote to memory of 1984 880 cmd.exe svchost.exe PID 880 wrote to memory of 1984 880 cmd.exe svchost.exe PID 880 wrote to memory of 1984 880 cmd.exe svchost.exe PID 880 wrote to memory of 1984 880 cmd.exe svchost.exe PID 1984 wrote to memory of 2732 1984 svchost.exe lsass.exe PID 1984 wrote to memory of 2732 1984 svchost.exe lsass.exe PID 1984 wrote to memory of 2732 1984 svchost.exe lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe"C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\system32\x52n02Ru6CyAUqZaamJgdYl7XD.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe"C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe"C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\intro.exe"C:\Users\Admin\AppData\Local\Temp\intro.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\intro.exe"C:\Users\Admin\AppData\Local\Temp\intro.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\BoosterX.exeFilesize
33.2MB
MD58a5510bea4ccd744c30cc7338a2144c1
SHA18e96a6e02e5f4da4c5f1bcf60ea402eee4f5be94
SHA2569d0b6ae05c845ce78318d91b514b46947b2e6f37ffb368a1cefee77ad63faee5
SHA512a81d5d63d66b508144888f43c9898aaeda88382d9ede39ae8df74114908a0fcf165d62eafd9454dd23887229d366a012faada248e981926e7d1b4b696454476f
-
C:\Users\Admin\AppData\Local\Temp\CabF0D6.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar1294.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\TarF0E9.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\_MEI16762\python310.dllFilesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
625KB
MD5c42d8a59dfdf8b506966f345e3d1c1d4
SHA1952fc1daa6ab67d9d409e8d8042a660a1d4fc0c4
SHA256116d4d9bb2b20bd34b0361b50fe0d89e092573e298d8c5d711d72c575d0251c5
SHA512c26b0b39ce91765414e78d91d5c1274e96c1d9ec32c30e2bd2ddfc88a89b5ee43919af6307a90687cd3186f18f9fc5823741fc16d3e766e281061d25cd2ec833
-
C:\Users\Admin\AppData\Local\Temp\system32\x52n02Ru6CyAUqZaamJgdYl7XD.batFilesize
29B
MD59fbb732e85f6d645a30670510c91a970
SHA1e01aca7db81e73f130fb130a19167e3d15ab1c35
SHA2560cccbc2ae9a033964744611a94a7833113187a44f6ff578cca1f92d5452e4662
SHA51273625ad5f8530bf36da93e03cb95de84e2d8033a2d9586e1fe73fe025198527851e6952cd059ef3c909f8d302ab4434da9d321cf669b0db89d6d5c0a632988e2
-
C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbeFilesize
216B
MD565444226ae490b86a0fec836b4367a26
SHA177dce5f1b41473f668e3ff246254829b2ab1fa79
SHA2569976269700d06f1ea5af0002b117026d52e1009846fdb08b5d13bd5bdb571f74
SHA512ec430acce8c93348c34d32daf17df40738617ca64a04a48a82355302fcaeecb6de0c4c8a950cfe11d7b42337b5bda25a0cf75ff76d0e02489c157af0e942b052
-
\Users\Admin\AppData\Local\Temp\intro.exeFilesize
18.0MB
MD51d09f385973ff8ee2ad66dff2974e7d1
SHA16ce3423a6f6c9b1c75b8122b1ac1d6064f20e690
SHA25654acbb15e0440c95c28e55e0ca1fb4133fafb17ad4810eb5608c6108d8b29a5a
SHA512664d85829e1f27a58571db30df1839dd110a957cdb69f2121daad83c6ae2e02f50844b330a458294f89e507e8f1d20c9b83fdb712d7d8414d6eca3845961f703
-
\Users\Admin\AppData\Local\Temp\system32\svchost.exeFilesize
315KB
MD5424c6a907442c498dc37e7cfab9e62b0
SHA1086872176d32cb129e68f4b3548ac4faa6f6780a
SHA25666ebe251f8bd343f906e26b788c5e3e24a967f876ff7007a24fd40c427752872
SHA5128c8da5892f88841f135e0aa81fd8ede84cdfaa1856bd4f3937d87de79dcf426713d73a34084cdba860b83978a8b0568e9b2c2a0c8da11f112cd8bd0a20164bed
-
memory/1152-75-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/1152-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmpFilesize
4KB
-
memory/1152-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/1152-1-0x00000000003F0000-0x00000000035F6000-memory.dmpFilesize
50.0MB
-
memory/1984-295-0x0000000000150000-0x00000000001A6000-memory.dmpFilesize
344KB
-
memory/2036-145-0x000007FEF25D0000-0x000007FEF2A3E000-memory.dmpFilesize
4.4MB
-
memory/2232-149-0x000000001D550000-0x000000001ED26000-memory.dmpFilesize
23.8MB
-
memory/2232-14-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/2232-13-0x0000000001210000-0x0000000003348000-memory.dmpFilesize
33.2MB
-
memory/2232-535-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/2732-440-0x00000000010D0000-0x0000000001126000-memory.dmpFilesize
344KB