Analysis Overview
SHA256
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295
Threat Level: Known bad
The file faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
DCRat payload
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Creates scheduled task(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 10:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 10:13
Reported
2024-05-31 10:16
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\", \"C:\\Users\\Default\\Music\\SppExtComObj.exe\", \"C:\\Users\\Public\\Pictures\\System.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\", \"C:\\Users\\Default\\Music\\SppExtComObj.exe\", \"C:\\Users\\Public\\Pictures\\System.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\", \"C:\\Users\\Default\\Music\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Media Player\\upfc.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\", \"C:\\Users\\Default\\Music\\SppExtComObj.exe\", \"C:\\Users\\Public\\Pictures\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\upfc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Media Player\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Pictures\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Pictures\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Media Player\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default\\Music\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default\\Music\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ShellExperiences\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ShellExperiences\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\upfc.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ea1d8f6d871115 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\uninstall\121e5b5079f7c0 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ShellExperiences\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\ShellExperiences\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\upfc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
"C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe"
C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
"C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\intro.exe
"C:\Users\Admin\AppData\Local\Temp\intro.exe"
C:\Users\Admin\AppData\Local\Temp\intro.exe
"C:\Users\Admin\AppData\Local\Temp\intro.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system32\x52n02Ru6CyAUqZaamJgdYl7XD.bat" "
C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Music\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ziPnkj5OJP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Program Files\Windows Media Player\upfc.exe
"C:\Program Files\Windows Media Player\upfc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | 96.123.16.104.in-addr.arpa | udp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 44.9.26.104.in-addr.arpa | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | a0986534.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0986534.xsph.ru | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0986534.xsph.ru | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3620-0-0x00007FFF7C533000-0x00007FFF7C535000-memory.dmp
memory/3620-1-0x0000000000C00000-0x0000000003E06000-memory.dmp
memory/3620-2-0x00007FFF7C530000-0x00007FFF7CFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
| MD5 | 8a5510bea4ccd744c30cc7338a2144c1 |
| SHA1 | 8e96a6e02e5f4da4c5f1bcf60ea402eee4f5be94 |
| SHA256 | 9d0b6ae05c845ce78318d91b514b46947b2e6f37ffb368a1cefee77ad63faee5 |
| SHA512 | a81d5d63d66b508144888f43c9898aaeda88382d9ede39ae8df74114908a0fcf165d62eafd9454dd23887229d366a012faada248e981926e7d1b4b696454476f |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | c42d8a59dfdf8b506966f345e3d1c1d4 |
| SHA1 | 952fc1daa6ab67d9d409e8d8042a660a1d4fc0c4 |
| SHA256 | 116d4d9bb2b20bd34b0361b50fe0d89e092573e298d8c5d711d72c575d0251c5 |
| SHA512 | c26b0b39ce91765414e78d91d5c1274e96c1d9ec32c30e2bd2ddfc88a89b5ee43919af6307a90687cd3186f18f9fc5823741fc16d3e766e281061d25cd2ec833 |
memory/5004-20-0x00007FFF7C530000-0x00007FFF7CFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intro.exe
| MD5 | 1d09f385973ff8ee2ad66dff2974e7d1 |
| SHA1 | 6ce3423a6f6c9b1c75b8122b1ac1d6064f20e690 |
| SHA256 | 54acbb15e0440c95c28e55e0ca1fb4133fafb17ad4810eb5608c6108d8b29a5a |
| SHA512 | 664d85829e1f27a58571db30df1839dd110a957cdb69f2121daad83c6ae2e02f50844b330a458294f89e507e8f1d20c9b83fdb712d7d8414d6eca3845961f703 |
memory/3620-103-0x00007FFF7C530000-0x00007FFF7CFF1000-memory.dmp
memory/5004-117-0x000001AD46B00000-0x000001AD48C38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/3732-156-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_socket.pyd
| MD5 | afd296823375e106c4b1ac8b39927f8b |
| SHA1 | b05d811e5a5921d5b5cc90b9e4763fd63783587b |
| SHA256 | e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007 |
| SHA512 | 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\select.pyd
| MD5 | 72009cde5945de0673a11efb521c8ccd |
| SHA1 | bddb47ac13c6302a871a53ba303001837939f837 |
| SHA256 | 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca |
| SHA512 | d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\VCRUNTIME140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\pythoncom310.dll
| MD5 | 9051abae01a41ea13febdea7d93470c0 |
| SHA1 | b06bd4cd4fd453eb827a108e137320d5dc3a002f |
| SHA256 | f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399 |
| SHA512 | 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\win32api.pyd
| MD5 | 561f419a2b44158646ee13cd9af44c60 |
| SHA1 | 93212788de48e0a91e603d74f071a7c8f42fe39b |
| SHA256 | 631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7 |
| SHA512 | d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c |
memory/3732-198-0x00007FFF7D020000-0x00007FFF7D04B000-memory.dmp
memory/3732-197-0x00007FFF76F00000-0x00007FFF76FBC000-memory.dmp
memory/3732-196-0x00007FFF7D050000-0x00007FFF7D07E000-memory.dmp
memory/3732-195-0x00007FFF8CA40000-0x00007FFF8CA4D000-memory.dmp
memory/3732-194-0x00007FFF8CB60000-0x00007FFF8CB6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbe
| MD5 | 65444226ae490b86a0fec836b4367a26 |
| SHA1 | 77dce5f1b41473f668e3ff246254829b2ab1fa79 |
| SHA256 | 9976269700d06f1ea5af0002b117026d52e1009846fdb08b5d13bd5bdb571f74 |
| SHA512 | ec430acce8c93348c34d32daf17df40738617ca64a04a48a82355302fcaeecb6de0c4c8a950cfe11d7b42337b5bda25a0cf75ff76d0e02489c157af0e942b052 |
memory/3732-193-0x00007FFF8A0A0000-0x00007FFF8A0B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_decimal.pyd
| MD5 | eb45ea265a48348ce0ac4124cb72df22 |
| SHA1 | ecdc1d76a205f482d1ed9c25445fa6d8f73a1422 |
| SHA256 | 3881f00dbc4aadf9e87b44c316d93425a8f6ba73d72790987226238defbc7279 |
| SHA512 | f7367bf2a2d221a7508d767ad754b61b2b02cdd7ae36ae25b306f3443d4800d50404ac7e503f589450ed023ff79a2fb1de89a30a49aa1dd32746c3e041494013 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\psutil\_psutil_windows.pyd
| MD5 | fb17b2f2f09725c3ffca6345acd7f0a8 |
| SHA1 | b8d747cc0cb9f7646181536d9451d91d83b9fc61 |
| SHA256 | 9c7d401418db14353db85b54ff8c7773ee5d17cbf9a20085fde4af652bd24fc4 |
| SHA512 | b4acb60045da8639779b6bb01175b13344c3705c92ea55f9c2942f06c89e5f43cedae8c691836d63183cacf2d0a98aa3bcb0354528f1707956b252206991bf63 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_ssl.pyd
| MD5 | 1e643c629f993a63045b0ff70d6cf7c6 |
| SHA1 | 9af2d22226e57dc16c199cad002e3beb6a0a0058 |
| SHA256 | 4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a |
| SHA512 | 9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\libcrypto-1_1.dll
| MD5 | da5fe6e5cfc41381025994f261df7148 |
| SHA1 | 13998e241464952d2d34eb6e8ecfcd2eb1f19a64 |
| SHA256 | de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18 |
| SHA512 | a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9 |
memory/3732-208-0x00007FFF7D670000-0x00007FFF7D68C000-memory.dmp
memory/3732-207-0x00007FFF8C690000-0x00007FFF8C69A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_uuid.pyd
| MD5 | 81dfa68ca3cb20ced73316dbc78423f6 |
| SHA1 | 8841cf22938aa6ee373ff770716bb9c6d9bc3e26 |
| SHA256 | d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190 |
| SHA512 | e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb |
memory/3732-203-0x00007FFF76BE0000-0x00007FFF76C22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\pywintypes310.dll
| MD5 | 6f2aa8fa02f59671f99083f9cef12cda |
| SHA1 | 9fd0716bcde6ac01cd916be28aa4297c5d4791cd |
| SHA256 | 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6 |
| SHA512 | f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_queue.pyd
| MD5 | 0d267bb65918b55839a9400b0fb11aa2 |
| SHA1 | 54e66a14bea8ae551ab6f8f48d81560b2add1afc |
| SHA256 | 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c |
| SHA512 | c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56 |
memory/3732-177-0x00007FFF7D080000-0x00007FFF7D0B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\pyexpat.pyd
| MD5 | 5a328b011fa748939264318a433297e2 |
| SHA1 | d46dd2be7c452e5b6525e88a2d29179f4c07de65 |
| SHA256 | e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14 |
| SHA512 | 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87 |
memory/3732-173-0x00007FFF7D690000-0x00007FFF7D6BD000-memory.dmp
memory/3732-172-0x00007FFF8BA80000-0x00007FFF8BA99000-memory.dmp
memory/3732-171-0x00007FFF90B80000-0x00007FFF90B8F000-memory.dmp
memory/3732-170-0x00007FFF82D90000-0x00007FFF82DB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_lzma.pyd
| MD5 | abceeceaeff3798b5b0de412af610f58 |
| SHA1 | c3c94c120b5bed8bccf8104d933e96ac6e42ca90 |
| SHA256 | 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e |
| SHA512 | 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_bz2.pyd
| MD5 | 758fff1d194a7ac7a1e3d98bcf143a44 |
| SHA1 | de1c61a8e1fb90666340f8b0a34e4d8bfc56da07 |
| SHA256 | f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708 |
| SHA512 | 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_ctypes.pyd
| MD5 | 6ca9a99c75a0b7b6a22681aa8e5ad77b |
| SHA1 | dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8 |
| SHA256 | d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8 |
| SHA512 | b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\libssl-1_1.dll
| MD5 | 48d792202922fffe8ea12798f03d94de |
| SHA1 | f8818be47becb8ccf2907399f62019c3be0efeb5 |
| SHA256 | 8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc |
| SHA512 | 69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833 |
memory/3732-213-0x00007FFF76690000-0x00007FFF766BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\base_library.zip
| MD5 | fbd6be906ac7cd45f1d98f5cb05f8275 |
| SHA1 | 5d563877a549f493da805b4d049641604a6a0408 |
| SHA256 | ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0 |
| SHA512 | 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a |
memory/3732-216-0x00007FFF76590000-0x00007FFF76648000-memory.dmp
memory/3732-219-0x00007FFF718B0000-0x00007FFF71C25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | 79f58590559566a010140b0b94a9ff3f |
| SHA1 | e3b6b62886bba487e524cbba4530ca703b24cbda |
| SHA256 | f8eae2b1020024ee92ba116c29bc3c8f80906be2029ddbe0c48ca1d02bf1ea73 |
| SHA512 | ecfcd6c58175f3e95195abe9a18bb6dd1d10b989539bf24ea1bcdbd3c435a10bbd2d8835a4c3acf7f9aeb44b160307ae0c377125202b9dbf0dd6e8cfd2603131 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\unicodedata.pyd
| MD5 | ca3baebf8725c7d785710f1dfbb2736d |
| SHA1 | 8f9aec2732a252888f3873967d8cc0139ff7f4e5 |
| SHA256 | f2d03a39556491d1ace63447b067b38055f32f5f1523c01249ba18052c599b4c |
| SHA512 | 5c2397e4dcb361a154cd3887c229bcf7ef980acbb4b851a16294d5df6245b2615cc4b42f6a95cf1d3c49b735c2f7025447247d887ccf4cd964f19f14e4533470 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_sqlite3.pyd
| MD5 | 7b45afc909647c373749ef946c67d7cf |
| SHA1 | 81f813c1d8c4b6497c01615dcb6aa40b92a7bd20 |
| SHA256 | a5f39bfd2b43799922e303a3490164c882f6e630777a3a0998e89235dc513b5e |
| SHA512 | fe67e58f30a2c95d7d42a102ed818f4d57baa524c5c2d781c933de201028c75084c3e836ff4237e066f3c7dd6a5492933c3da3fee76eb2c50a6915996ef6d7fb |
memory/3732-235-0x00007FFF763A0000-0x00007FFF764B8000-memory.dmp
memory/3732-239-0x00007FFF76380000-0x00007FFF7639F000-memory.dmp
memory/3732-240-0x00007FFF75C90000-0x00007FFF75E01000-memory.dmp
memory/3732-238-0x00007FFF82D90000-0x00007FFF82DB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\sqlite3.dll
| MD5 | b70d218798c0fec39de1199c796ebce8 |
| SHA1 | 73b9f8389706790a0fec3c7662c997d0a238a4a0 |
| SHA256 | 4830e8d4ae005a73834371fe7bb5b91ca8a4c4c3a4b9a838939f18920f10faff |
| SHA512 | 2ede15cc8a229bfc599980ce7180a7a3c37c0264415470801cf098ef4dac7bcf857821f647614490c1b0865882619a24e3ac0848b5aea1796fad054c0dd6f718 |
memory/3732-234-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
memory/3732-232-0x00007FFF764C0000-0x00007FFF764E6000-memory.dmp
memory/3732-231-0x00007FFF854B0000-0x00007FFF854BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\downloads_db
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\downloads_db
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
memory/3732-230-0x00007FFF7D000000-0x00007FFF7D014000-memory.dmp
memory/5004-229-0x00007FFF7C530000-0x00007FFF7CFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI36842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 9bb72ad673c91050ecb9f4a3f98b91ef |
| SHA1 | 67ff2d6ab21e2bbe84f43a84ecd2fd64161e25f4 |
| SHA256 | 17fc896275afcd3cdd20836a7379d565d156cd409dc28f95305c32f1b3e99c4f |
| SHA512 | 4c1236f9cfbb2ec8e895c134b7965d1ebf5404e5d00acf543b9935bc22d07d58713a75eee793c02dfda29b128412972f00e82a636d33ec8c9e0d9804f465bc40 |
C:\Users\Admin\AppData\Local\Temp\_MEI36842\_hashlib.pyd
| MD5 | 0d723bc34592d5bb2b32cf259858d80e |
| SHA1 | eacfabd037ba5890885656f2485c2d7226a19d17 |
| SHA256 | f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f |
| SHA512 | 3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33 |
memory/3732-220-0x000001EF32BB0000-0x000001EF32F25000-memory.dmp
memory/5004-218-0x000001AD64220000-0x000001AD659F6000-memory.dmp
memory/3732-311-0x00007FFF71650000-0x00007FFF718A2000-memory.dmp
memory/3732-310-0x00007FFF756A0000-0x00007FFF756C9000-memory.dmp
memory/3732-309-0x00007FFF75A40000-0x00007FFF75A5E000-memory.dmp
memory/3732-308-0x00007FFF75B50000-0x00007FFF75B61000-memory.dmp
memory/3732-307-0x00007FFF756D0000-0x00007FFF7571C000-memory.dmp
memory/3732-306-0x00007FFF75B70000-0x00007FFF75B89000-memory.dmp
memory/3732-305-0x00007FFF75B90000-0x00007FFF75BA7000-memory.dmp
memory/3732-304-0x00007FFF75BB0000-0x00007FFF75BD2000-memory.dmp
memory/3732-303-0x00007FFF75BE0000-0x00007FFF75BF4000-memory.dmp
memory/3732-302-0x00007FFF75C00000-0x00007FFF75C10000-memory.dmp
memory/3732-301-0x00007FFF75C10000-0x00007FFF75C25000-memory.dmp
memory/3732-300-0x00007FFF75C30000-0x00007FFF75C3C000-memory.dmp
memory/3732-299-0x00007FFF75C40000-0x00007FFF75C52000-memory.dmp
memory/3732-298-0x00007FFF75C60000-0x00007FFF75C6D000-memory.dmp
memory/3732-297-0x00007FFF75C70000-0x00007FFF75C7C000-memory.dmp
memory/3732-296-0x00007FFF75C80000-0x00007FFF75C8C000-memory.dmp
memory/3732-295-0x00007FFF75F70000-0x00007FFF75F7B000-memory.dmp
memory/3732-294-0x00007FFF75F80000-0x00007FFF75F8B000-memory.dmp
memory/3732-293-0x00007FFF75F90000-0x00007FFF75F9C000-memory.dmp
memory/3732-292-0x00007FFF75FF0000-0x00007FFF75FFC000-memory.dmp
memory/3732-291-0x00007FFF76000000-0x00007FFF7600E000-memory.dmp
memory/3732-290-0x00007FFF760F0000-0x00007FFF760FD000-memory.dmp
memory/3732-289-0x00007FFF76100000-0x00007FFF7610C000-memory.dmp
memory/3732-288-0x00007FFF762F0000-0x00007FFF762FB000-memory.dmp
memory/3732-287-0x00007FFF76300000-0x00007FFF7630C000-memory.dmp
memory/3732-286-0x00007FFF76310000-0x00007FFF7631B000-memory.dmp
memory/3732-285-0x00007FFF76320000-0x00007FFF7632C000-memory.dmp
memory/3732-284-0x00007FFF76330000-0x00007FFF7633B000-memory.dmp
memory/3732-283-0x00007FFF76340000-0x00007FFF7634B000-memory.dmp
memory/3732-282-0x00007FFF8A0A0000-0x00007FFF8A0B9000-memory.dmp
memory/5004-331-0x000001AD63130000-0x000001AD6314C000-memory.dmp
memory/5004-333-0x000001AD63150000-0x000001AD63176000-memory.dmp
memory/5004-332-0x000001AD630F0000-0x000001AD63104000-memory.dmp
memory/5004-334-0x000001AD67FB0000-0x000001AD67FB8000-memory.dmp
memory/5004-336-0x000001AD68030000-0x000001AD6803E000-memory.dmp
memory/5004-335-0x000001AD69100000-0x000001AD69138000-memory.dmp
memory/5092-338-0x0000000000010000-0x0000000000066000-memory.dmp
C:\Recovery\WindowsRE\SppExtComObj.exe
| MD5 | 424c6a907442c498dc37e7cfab9e62b0 |
| SHA1 | 086872176d32cb129e68f4b3548ac4faa6f6780a |
| SHA256 | 66ebe251f8bd343f906e26b788c5e3e24a967f876ff7007a24fd40c427752872 |
| SHA512 | 8c8da5892f88841f135e0aa81fd8ede84cdfaa1856bd4f3937d87de79dcf426713d73a34084cdba860b83978a8b0568e9b2c2a0c8da11f112cd8bd0a20164bed |
memory/3732-382-0x00007FFF76380000-0x00007FFF7639F000-memory.dmp
memory/3732-369-0x00007FFF7D050000-0x00007FFF7D07E000-memory.dmp
memory/3732-361-0x00007FFF82D90000-0x00007FFF82DB4000-memory.dmp
memory/3732-370-0x00007FFF76F00000-0x00007FFF76FBC000-memory.dmp
memory/3732-360-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
memory/3732-383-0x00007FFF75C90000-0x00007FFF75E01000-memory.dmp
memory/3732-377-0x00007FFF718B0000-0x00007FFF71C25000-memory.dmp
memory/3732-376-0x00007FFF76590000-0x00007FFF76648000-memory.dmp
memory/3732-375-0x00007FFF76690000-0x00007FFF766BE000-memory.dmp
memory/3732-374-0x00007FFF7D670000-0x00007FFF7D68C000-memory.dmp
memory/3732-386-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
memory/3732-395-0x00007FFF7D050000-0x00007FFF7D07E000-memory.dmp
memory/3732-396-0x00007FFF76F00000-0x00007FFF76FBC000-memory.dmp
memory/3732-410-0x000001EF32BB0000-0x000001EF32F25000-memory.dmp
memory/3732-411-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
memory/3732-436-0x00007FFF71650000-0x00007FFF718A2000-memory.dmp
memory/3732-515-0x00007FFF763A0000-0x00007FFF764B8000-memory.dmp
memory/3732-525-0x00007FFF76F00000-0x00007FFF76FBC000-memory.dmp
memory/3732-535-0x00007FFF764C0000-0x00007FFF764E6000-memory.dmp
memory/3732-534-0x00007FFF854B0000-0x00007FFF854BB000-memory.dmp
memory/3732-533-0x00007FFF7D000000-0x00007FFF7D014000-memory.dmp
memory/3732-532-0x00007FFF718B0000-0x00007FFF71C25000-memory.dmp
memory/3732-531-0x00007FFF76590000-0x00007FFF76648000-memory.dmp
memory/3732-530-0x00007FFF76690000-0x00007FFF766BE000-memory.dmp
memory/3732-529-0x00007FFF7D670000-0x00007FFF7D68C000-memory.dmp
memory/3732-528-0x00007FFF8C690000-0x00007FFF8C69A000-memory.dmp
memory/3732-527-0x00007FFF76BE0000-0x00007FFF76C22000-memory.dmp
memory/3732-526-0x00007FFF7D020000-0x00007FFF7D04B000-memory.dmp
memory/3732-524-0x00007FFF7D050000-0x00007FFF7D07E000-memory.dmp
memory/3732-523-0x00007FFF8CA40000-0x00007FFF8CA4D000-memory.dmp
memory/3732-522-0x00007FFF8CB60000-0x00007FFF8CB6D000-memory.dmp
memory/3732-521-0x00007FFF8A0A0000-0x00007FFF8A0B9000-memory.dmp
memory/3732-520-0x00007FFF7D080000-0x00007FFF7D0B4000-memory.dmp
memory/3732-519-0x00007FFF7D690000-0x00007FFF7D6BD000-memory.dmp
memory/3732-518-0x00007FFF8BA80000-0x00007FFF8BA99000-memory.dmp
memory/3732-516-0x00007FFF82D90000-0x00007FFF82DB4000-memory.dmp
memory/3732-514-0x00007FFF7A000000-0x00007FFF7A46E000-memory.dmp
memory/3732-517-0x00007FFF90B80000-0x00007FFF90B8F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 10:13
Reported
2024-05-31 10:16
Platform
win7-20240221-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\", \"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\", \"C:\\Windows\\ShellNew\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\", \"C:\\Windows\\System32\\sk-SK\\lsm.exe\", \"C:\\Windows\\es-ES\\Idle.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intro.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\ShellNew\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Offline Web Pages\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Offline Web Pages\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\ShellNew\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\AppCompat\\Programs\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\it-IT\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sk-SK\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Media Player\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\sk-SK\lsm.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\sk-SK\101b941d020240 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Portable Devices\cmd.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\it-IT\75a57c1bdf437c | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Journal\ja-JP\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Journal\ja-JP\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\101b941d020240 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\it-IT\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\dwm.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\b75386f1303e64 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\Offline Web Pages\lsass.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\Offline Web Pages\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\DigitalLocker\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\ShellNew\conhost.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\ShellNew\088424020bedd6 | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\es-ES\Idle.exe | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\es-ES\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| File created | C:\Windows\DigitalLocker\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BoosterX.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
"C:\Users\Admin\AppData\Local\Temp\faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe"
C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
"C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\intro.exe
"C:\Users\Admin\AppData\Local\Temp\intro.exe"
C:\Users\Admin\AppData\Local\Temp\intro.exe
"C:\Users\Admin\AppData\Local\Temp\intro.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\system32\x52n02Ru6CyAUqZaamJgdYl7XD.bat" "
C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\system32\svchost.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\sk-SK\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe
"C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0986534.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0986534.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0986534.xsph.ru | tcp |
Files
memory/1152-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp
memory/1152-1-0x00000000003F0000-0x00000000035F6000-memory.dmp
memory/1152-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
| MD5 | 8a5510bea4ccd744c30cc7338a2144c1 |
| SHA1 | 8e96a6e02e5f4da4c5f1bcf60ea402eee4f5be94 |
| SHA256 | 9d0b6ae05c845ce78318d91b514b46947b2e6f37ffb368a1cefee77ad63faee5 |
| SHA512 | a81d5d63d66b508144888f43c9898aaeda88382d9ede39ae8df74114908a0fcf165d62eafd9454dd23887229d366a012faada248e981926e7d1b4b696454476f |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | c42d8a59dfdf8b506966f345e3d1c1d4 |
| SHA1 | 952fc1daa6ab67d9d409e8d8042a660a1d4fc0c4 |
| SHA256 | 116d4d9bb2b20bd34b0361b50fe0d89e092573e298d8c5d711d72c575d0251c5 |
| SHA512 | c26b0b39ce91765414e78d91d5c1274e96c1d9ec32c30e2bd2ddfc88a89b5ee43919af6307a90687cd3186f18f9fc5823741fc16d3e766e281061d25cd2ec833 |
memory/2232-13-0x0000000001210000-0x0000000003348000-memory.dmp
memory/2232-14-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
\Users\Admin\AppData\Local\Temp\intro.exe
| MD5 | 1d09f385973ff8ee2ad66dff2974e7d1 |
| SHA1 | 6ce3423a6f6c9b1c75b8122b1ac1d6064f20e690 |
| SHA256 | 54acbb15e0440c95c28e55e0ca1fb4133fafb17ad4810eb5608c6108d8b29a5a |
| SHA512 | 664d85829e1f27a58571db30df1839dd110a957cdb69f2121daad83c6ae2e02f50844b330a458294f89e507e8f1d20c9b83fdb712d7d8414d6eca3845961f703 |
memory/1152-75-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16762\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
memory/2036-145-0x000007FEF25D0000-0x000007FEF2A3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\system32\zpcS8zO5yqSLxdW.vbe
| MD5 | 65444226ae490b86a0fec836b4367a26 |
| SHA1 | 77dce5f1b41473f668e3ff246254829b2ab1fa79 |
| SHA256 | 9976269700d06f1ea5af0002b117026d52e1009846fdb08b5d13bd5bdb571f74 |
| SHA512 | ec430acce8c93348c34d32daf17df40738617ca64a04a48a82355302fcaeecb6de0c4c8a950cfe11d7b42337b5bda25a0cf75ff76d0e02489c157af0e942b052 |
memory/2232-149-0x000000001D550000-0x000000001ED26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF0D6.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarF0E9.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\system32\x52n02Ru6CyAUqZaamJgdYl7XD.bat
| MD5 | 9fbb732e85f6d645a30670510c91a970 |
| SHA1 | e01aca7db81e73f130fb130a19167e3d15ab1c35 |
| SHA256 | 0cccbc2ae9a033964744611a94a7833113187a44f6ff578cca1f92d5452e4662 |
| SHA512 | 73625ad5f8530bf36da93e03cb95de84e2d8033a2d9586e1fe73fe025198527851e6952cd059ef3c909f8d302ab4434da9d321cf669b0db89d6d5c0a632988e2 |
\Users\Admin\AppData\Local\Temp\system32\svchost.exe
| MD5 | 424c6a907442c498dc37e7cfab9e62b0 |
| SHA1 | 086872176d32cb129e68f4b3548ac4faa6f6780a |
| SHA256 | 66ebe251f8bd343f906e26b788c5e3e24a967f876ff7007a24fd40c427752872 |
| SHA512 | 8c8da5892f88841f135e0aa81fd8ede84cdfaa1856bd4f3937d87de79dcf426713d73a34084cdba860b83978a8b0568e9b2c2a0c8da11f112cd8bd0a20164bed |
memory/1984-295-0x0000000000150000-0x00000000001A6000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1294.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2732-440-0x00000000010D0000-0x0000000001126000-memory.dmp
memory/2232-535-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp