Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
48a8ee49651a74a74baca1f7c94729e5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48a8ee49651a74a74baca1f7c94729e5.exe
Resource
win10v2004-20240611-en
General
-
Target
48a8ee49651a74a74baca1f7c94729e5.exe
-
Size
11.5MB
-
MD5
48a8ee49651a74a74baca1f7c94729e5
-
SHA1
0339e2c61f6cdb9e37ca03f9d97e7811593eba23
-
SHA256
9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
-
SHA512
6bd551233c93c3fbe66b8eec7f5ae2f8d8b42b0918ff13384823c3ebb4d5993a6af3f2ec4280880d396414a9a770ee0dc909b78ae4a98579f32ba2a2855f1448
-
SSDEEP
196608:tHHbgJSiavNLVOOHrVB71ZwMFOc3aVeYz4t/+KwgPuZ9RaD:h7gJA3tHMC3a5z4XwgPo9y
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
Processes:
fontsessionruntime.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\conhost.exe\", \"C:\\agentInto\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\", \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\", \"C:\\agentInto\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\conhost.exe\"" fontsessionruntime.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 984 schtasks.exe -
Processes:
fontsessionruntime.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat C:\agentInto\fontsessionruntime.exe dcrat behavioral1/memory/1040-186-0x00000000009A0000-0x0000000000DA2000-memory.dmp dcrat behavioral1/memory/764-249-0x0000000001350000-0x0000000001752000-memory.dmp dcrat -
Executes dropped EXE 17 IoCs
Processes:
x12.exex11.exex10.exex9.exex8.exex7.exex6.exex5.exex4.exeCheatLauncherV2.exeDCRatBuild.exeBuilt.exeSolaraBootstrapper.exeBuilt.exefontsessionruntime.exeaudiodg.exepid process 2204 x12.exe 2576 x11.exe 2392 x10.exe 2692 x9.exe 2384 x8.exe 2900 x7.exe 2708 x6.exe 2760 x5.exe 616 x4.exe 1188 CheatLauncherV2.exe 2596 DCRatBuild.exe 1992 Built.exe 1688 SolaraBootstrapper.exe 2144 Built.exe 1172 1040 fontsessionruntime.exe 764 audiodg.exe -
Loads dropped DLL 28 IoCs
Processes:
48a8ee49651a74a74baca1f7c94729e5.exex12.exex11.exex10.exex9.exex8.exex7.exex6.exex5.exex4.exeCheatLauncherV2.exeBuilt.exeBuilt.execmd.exepid process 1948 48a8ee49651a74a74baca1f7c94729e5.exe 1948 48a8ee49651a74a74baca1f7c94729e5.exe 2204 x12.exe 2204 x12.exe 2576 x11.exe 2576 x11.exe 2392 x10.exe 2392 x10.exe 2692 x9.exe 2692 x9.exe 2384 x8.exe 2384 x8.exe 2900 x7.exe 2900 x7.exe 2708 x6.exe 2708 x6.exe 2760 x5.exe 2760 x5.exe 616 x4.exe 616 x4.exe 1188 CheatLauncherV2.exe 1188 CheatLauncherV2.exe 1188 CheatLauncherV2.exe 1992 Built.exe 2144 Built.exe 1172 1052 cmd.exe 1052 cmd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI19922\python312.dll upx behavioral1/memory/2144-149-0x000007FEF6510000-0x000007FEF6BD5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
fontsessionruntime.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Portable Devices\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontsessionruntime = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\System.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\agentInto\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\agentInto\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\agentInto\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontsessionruntime = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\fontsessionruntime.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\audiodg.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\agentInto\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Portable Devices\\lsm.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\sppsvc.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\conhost.exe\"" fontsessionruntime.exe -
Processes:
fontsessionruntime.exeaudiodg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 7 raw.githubusercontent.com 10 pastebin.com 11 pastebin.com 6 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
Processes:
fontsessionruntime.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\ja-JP\fontsessionruntime.exe fontsessionruntime.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\8cd4b842f5b61d fontsessionruntime.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe fontsessionruntime.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\42af1c969fbb7b fontsessionruntime.exe File created C:\Program Files\Windows Portable Devices\lsm.exe fontsessionruntime.exe File created C:\Program Files\Windows Portable Devices\101b941d020240 fontsessionruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2644 schtasks.exe 2100 schtasks.exe 2712 schtasks.exe 2588 schtasks.exe 2584 schtasks.exe 2896 schtasks.exe 1516 schtasks.exe 2732 schtasks.exe 2020 schtasks.exe 1680 schtasks.exe 2904 schtasks.exe 2472 schtasks.exe 1684 schtasks.exe 2504 schtasks.exe 2940 schtasks.exe 1016 schtasks.exe 2816 schtasks.exe 2708 schtasks.exe 2932 schtasks.exe 2256 schtasks.exe 2648 schtasks.exe 2064 schtasks.exe 2220 schtasks.exe 1216 schtasks.exe 2528 schtasks.exe 1728 schtasks.exe 2448 schtasks.exe 2660 schtasks.exe 2368 schtasks.exe 2164 schtasks.exe 1732 schtasks.exe 2400 schtasks.exe 1600 schtasks.exe 2196 schtasks.exe 1908 schtasks.exe 616 schtasks.exe 1972 schtasks.exe 2288 schtasks.exe 3032 schtasks.exe 2620 schtasks.exe 2900 schtasks.exe 1444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exefontsessionruntime.exeaudiodg.exepid process 1688 SolaraBootstrapper.exe 1688 SolaraBootstrapper.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 1040 fontsessionruntime.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe 764 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SolaraBootstrapper.exefontsessionruntime.exeaudiodg.exevssvc.exedescription pid process Token: SeDebugPrivilege 1688 SolaraBootstrapper.exe Token: SeDebugPrivilege 1040 fontsessionruntime.exe Token: SeDebugPrivilege 764 audiodg.exe Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
48a8ee49651a74a74baca1f7c94729e5.exex12.exex11.exex10.exex9.exex8.exex7.exex6.exex5.exex4.exeCheatLauncherV2.exeBuilt.exedescription pid process target process PID 1948 wrote to memory of 2204 1948 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 1948 wrote to memory of 2204 1948 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 1948 wrote to memory of 2204 1948 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 1948 wrote to memory of 2204 1948 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 2204 wrote to memory of 2576 2204 x12.exe x11.exe PID 2204 wrote to memory of 2576 2204 x12.exe x11.exe PID 2204 wrote to memory of 2576 2204 x12.exe x11.exe PID 2204 wrote to memory of 2576 2204 x12.exe x11.exe PID 2576 wrote to memory of 2392 2576 x11.exe x10.exe PID 2576 wrote to memory of 2392 2576 x11.exe x10.exe PID 2576 wrote to memory of 2392 2576 x11.exe x10.exe PID 2576 wrote to memory of 2392 2576 x11.exe x10.exe PID 2392 wrote to memory of 2692 2392 x10.exe x9.exe PID 2392 wrote to memory of 2692 2392 x10.exe x9.exe PID 2392 wrote to memory of 2692 2392 x10.exe x9.exe PID 2392 wrote to memory of 2692 2392 x10.exe x9.exe PID 2692 wrote to memory of 2384 2692 x9.exe x8.exe PID 2692 wrote to memory of 2384 2692 x9.exe x8.exe PID 2692 wrote to memory of 2384 2692 x9.exe x8.exe PID 2692 wrote to memory of 2384 2692 x9.exe x8.exe PID 2384 wrote to memory of 2900 2384 x8.exe x7.exe PID 2384 wrote to memory of 2900 2384 x8.exe x7.exe PID 2384 wrote to memory of 2900 2384 x8.exe x7.exe PID 2384 wrote to memory of 2900 2384 x8.exe x7.exe PID 2900 wrote to memory of 2708 2900 x7.exe x6.exe PID 2900 wrote to memory of 2708 2900 x7.exe x6.exe PID 2900 wrote to memory of 2708 2900 x7.exe x6.exe PID 2900 wrote to memory of 2708 2900 x7.exe x6.exe PID 2708 wrote to memory of 2760 2708 x6.exe x5.exe PID 2708 wrote to memory of 2760 2708 x6.exe x5.exe PID 2708 wrote to memory of 2760 2708 x6.exe x5.exe PID 2708 wrote to memory of 2760 2708 x6.exe x5.exe PID 2760 wrote to memory of 616 2760 x5.exe schtasks.exe PID 2760 wrote to memory of 616 2760 x5.exe schtasks.exe PID 2760 wrote to memory of 616 2760 x5.exe schtasks.exe PID 2760 wrote to memory of 616 2760 x5.exe schtasks.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 616 wrote to memory of 1188 616 x4.exe CheatLauncherV2.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 2596 1188 CheatLauncherV2.exe DCRatBuild.exe PID 1188 wrote to memory of 1992 1188 CheatLauncherV2.exe Built.exe PID 1188 wrote to memory of 1992 1188 CheatLauncherV2.exe Built.exe PID 1188 wrote to memory of 1992 1188 CheatLauncherV2.exe Built.exe PID 1188 wrote to memory of 1992 1188 CheatLauncherV2.exe Built.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1188 wrote to memory of 1688 1188 CheatLauncherV2.exe SolaraBootstrapper.exe PID 1992 wrote to memory of 2144 1992 Built.exe Built.exe PID 1992 wrote to memory of 2144 1992 Built.exe Built.exe PID 1992 wrote to memory of 2144 1992 Built.exe Built.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
audiodg.exefontsessionruntime.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a8ee49651a74a74baca1f7c94729e5.exe"C:\Users\Admin\AppData\Local\Temp\48a8ee49651a74a74baca1f7c94729e5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\x12.exe"C:\Users\Admin\AppData\Local\Temp\x12.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\x11.exe"C:\Users\Admin\AppData\Local\Temp\x11.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\x10.exe"C:\Users\Admin\AppData\Local\Temp\x10.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\x9.exe"C:\Users\Admin\AppData\Local\Temp\x9.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\x8.exe"C:\Users\Admin\AppData\Local\Temp\x8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\x7.exe"C:\Users\Admin\AppData\Local\Temp\x7.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\x6.exe"C:\Users\Admin\AppData\Local\Temp\x6.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\x5.exe"C:\Users\Admin\AppData\Local\Temp\x5.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\x4.exe"C:\Users\Admin\AppData\Local\Temp\x4.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exe"C:\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"12⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentInto\ygzWE.vbe"13⤵PID:780
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\agentInto\pR9EprN9daTFn7S7o.bat" "14⤵
- Loads dropped DLL
PID:1052 -
C:\agentInto\fontsessionruntime.exe"C:\agentInto\fontsessionruntime.exe"15⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1040 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:764 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontsessionruntimef" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\fontsessionruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontsessionruntime" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\fontsessionruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontsessionruntimef" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\fontsessionruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\agentInto\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\agentInto\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\agentInto\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\agentInto\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\agentInto\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\agentInto\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
24.0MB
MD568d3ea3afa53dedfd3593d140747b932
SHA1757ff4ea1105bdcc861c98872cb28f3a32b170e9
SHA25697e31ae693f118965c81672374dfa269f2b5c3c2b9502ac983f8b5817d5d0002
SHA512b72adb6eed395db98f9bd3452c82252807320ed682cd585714fa4d526b6644ea873a62914f5fed2989fcf85f7b2e9472e37c2e3bbfb92867a2747ccee8ef8048
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exeFilesize
4.3MB
MD52edb71dd3792b6f6a774edbf67bb78d2
SHA17a8cff8359caec23a66212118ce4edd1e239bfeb
SHA2569daadd6e7cbd889a2a05fa94d2876710542332a79782cec38c09e9079415b6ae
SHA512aa9bb70014a07b181960bd9ea1c1106f046f123f24a263c45ab58a461245e141a0ad3af7d7b17e0cc59675fe1934f62a735756d52d068474690828fe6b44719f
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exeFilesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
C:\Users\Admin\AppData\Local\Temp\_MEI19922\python312.dllFilesize
1.7MB
MD5fb8bedf8440eb432c9f3587b8114abc0
SHA1136bb4dd38a7f6cb3e2613910607131c97674f7c
SHA256cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6
SHA512b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63
-
C:\Users\Admin\AppData\Local\Temp\x11.exeFilesize
11.4MB
MD534cb7fca8cb671327865d0bcf6de72bc
SHA1f0b1cedace31b386c893530e6dce75c2ecfef083
SHA256a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
SHA512a09a2fd355e0e7f7a7bf0c25fee3300d7e695f1871514181aef6cb7c5d9f085f6a3003cfea423ad3c79d1b463b2dd3e323c84ae6d8e352483270ee20e520d373
-
C:\Users\Admin\AppData\Local\Temp\x5.exeFilesize
11.4MB
MD58dbee0cb9b7550432df6beb4d9ea5cf0
SHA1592502d95f326d76387d85fb48036179a7d15d38
SHA256d7ffd20027f5b1b9948e76fa157023c22a86425e026a377684a3947abdb61135
SHA51220422414b413c33b1db119488a71322b449db756ecee73c3825fee991fd468a0e09c6ae4b60fe2fd568b0590b77df43937ef8e35d752ff931482519d9fb0c183
-
C:\Users\Admin\AppData\Local\Temp\x6.exeFilesize
11.4MB
MD561f5d17c10de6541139134fb7058f88e
SHA1a6df4a45aab40753023f2fdd7efd32ae9a226ff5
SHA256914287ad713df86ea9fed9f86cd963f88eb22de143d8892b7ef055fd45dba567
SHA51228b66e1cb8334e806139c8b30ec3100010abf277d9d2e5eecf99ac837fb384ca5bf76de2549bf4faf92614cfaa6a861abbe75055248242d9dc392c319375a900
-
C:\Users\Admin\AppData\Local\Temp\x8.exeFilesize
11.4MB
MD5dd97aab085b140b715dd1a52038e3c70
SHA121a8cbffa7c31a3ae0493b8567b528faba5c4fe9
SHA25642be65ad4df6bf83ce6a30c1a159921463571c32faf372af53a5edab641ea7aa
SHA5127ad65e44d706e304c493895eec33a538937de13a13b0af7b13be95be0615177d78e1eb3b8cbd06e5612dc7bcf522d2c9abd5c6ab4efacf20052bdf7e09bc4ba2
-
C:\agentInto\fontsessionruntime.exeFilesize
4.0MB
MD56cf5f23f1c8ca3bc6342506baac300da
SHA118affb87f0e996d202f0be3b8109701120ea3995
SHA256f3ee0a31d29b515d2e0bf776507897ca3ef5605d0470adcc4163209ba78e3445
SHA51266830da8515a32f3cf03149f0b23398265cbad452be1e81bfbaa2fb553e607ab498b2e6d2af06d9ec840236c2fe7d964443ed4f2ab4d9e50bd07ecf1aa70335b
-
C:\agentInto\pR9EprN9daTFn7S7o.batFilesize
37B
MD5590bafac5ec119e118eb63489987073c
SHA143b1193a321ea8eb187d478b824b29688e2e40d4
SHA2566d73104dd95eb27a2ad2b311cab5fcd401f2aac68cb050eff23e2cbf752a40ac
SHA512b81edccf58145f977c683f808fc88d599c25fad5647e958d9da8fc6f016c0d75eaddb44064c46ea487144873ab6648a8a70c074dc9ec4fe8f37711717cef5685
-
C:\agentInto\ygzWE.vbeFilesize
204B
MD51e49f9332d5b41ddcaf97f7c284c16f8
SHA1aa9f15475f700366b4b22728dce302b58401850b
SHA256d569b2b96fe889ccca95d5296d45a5b05e501bdefbe6216d30a53267a0bcf55a
SHA5121487aad116ee07a2abbba90f1290657420057c98e5f7a8a8f308f497ea5176ff7ba77252ce709c84318947834637c171bb69e6dbea9e4d9f3d8e19ca260b652b
-
\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exeFilesize
11.4MB
MD5108590051fab4871af861b8b12ad1e96
SHA1172d10992c078145e1439e85869dcee89e95819b
SHA2567d11195746ed7866dce67ebe82dd5c9bdc6f3251528a9d40c22be61612f71d1a
SHA51227863d3991e490d69f199d8bf3ea521bee1cfe18336fcf64960c5fa16cd4ec7fc7e4a74f4795b9ffeed194326f6f28dc800569b0e6f7d2bb8647d64f37c2d544
-
\Users\Admin\AppData\Local\Temp\x10.exeFilesize
11.4MB
MD5b93fc536df3c66e783fcbb9071db7545
SHA1ce29bc506242c2389366f67edb3b36577d01f778
SHA2569267614f67e94feeeae12c00f294e8af4587cf74ce817d179098d7e17ef24874
SHA5124b4a87624eb5f23a13ac55acc874e9444c41b54a772e3d89a5a383a476d09db6dcdac69bc914645fe8c3102ea050a4dbede65f379c4f51aa1fdeb01e8194b1e6
-
\Users\Admin\AppData\Local\Temp\x12.exeFilesize
11.5MB
MD5a236344bcc36451b5760c4bf40df3cda
SHA1201737c41d87013535c5407f264f5d8e38f3351a
SHA256e5e02b828d06986c27c50cf3398ee4e9fc56fcdd017684ab27388ebd1f4fd265
SHA512ee1b7daf72fd2a38e1c7f2ce8557ce164a1818485efd49506bbbdccce33eab702008aabb5721a13b9a14282be92a8a0b29ceccc157aebb591afa10d5ee7ccfd6
-
\Users\Admin\AppData\Local\Temp\x4.exeFilesize
11.4MB
MD5609a00e116060457295ce9293e6e3b3e
SHA1e99114d54d914b0d543e62ff54807d83551a16b6
SHA2565cac320a19828d4e3e89428ad877951babaa6739a337ff4c8c2f3b9828d85358
SHA5121c1f117e06ca09dab65626bca4cab8ccf4b3073dca564a6cc2dc9e82a752f936150ff75e077db0c906d1248f9ca9bb94d1af8fed616d8e013c548b25033f8fcc
-
\Users\Admin\AppData\Local\Temp\x7.exeFilesize
11.4MB
MD50e9fee8861c55c0ebadc5f678fbd8a9a
SHA1c760e5d24b60902f566529af6ddaf2b90e319046
SHA256866d6644ccce8d86d9526ef959ee5ddd9414e35750a1a10968035063ffa694d8
SHA512f3461f6e0c0004a0b56578efd83d7fd3f79ec47ad8e0848ae14d21bb585ecbfec9770296382f63054395e636ba911b9e4bcc3f88c0eb9b73e542ad1f5d0b869e
-
\Users\Admin\AppData\Local\Temp\x9.exeFilesize
11.4MB
MD57e5f18a5c7eb009e54ae4fc6127e864c
SHA1e9217d8f28de469a091ce420c5f74abd5e77ae92
SHA25660f981607fdd0547fa8afb700fbfc0cc8fcac163bc819e36bbd859ce5594b016
SHA5122a4ef3c3c13a59ca681e189b662952583f5d124bd7cb5f8690aa30c44871fda2db9839b55bc26e0e53af7f0447e910d405a3693aacbd214e13a62b13f11061ed
-
memory/764-250-0x0000000000680000-0x0000000000692000-memory.dmpFilesize
72KB
-
memory/764-249-0x0000000001350000-0x0000000001752000-memory.dmpFilesize
4.0MB
-
memory/1040-192-0x0000000000630000-0x0000000000638000-memory.dmpFilesize
32KB
-
memory/1040-201-0x0000000002370000-0x0000000002378000-memory.dmpFilesize
32KB
-
memory/1040-189-0x0000000000460000-0x000000000047C000-memory.dmpFilesize
112KB
-
memory/1040-188-0x0000000000450000-0x0000000000458000-memory.dmpFilesize
32KB
-
memory/1040-193-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB
-
memory/1040-186-0x00000000009A0000-0x0000000000DA2000-memory.dmpFilesize
4.0MB
-
memory/1040-191-0x0000000000610000-0x0000000000626000-memory.dmpFilesize
88KB
-
memory/1040-190-0x0000000000600000-0x0000000000608000-memory.dmpFilesize
32KB
-
memory/1040-194-0x0000000000640000-0x000000000064C000-memory.dmpFilesize
48KB
-
memory/1040-196-0x00000000022D0000-0x00000000022E0000-memory.dmpFilesize
64KB
-
memory/1040-195-0x00000000022C0000-0x00000000022C8000-memory.dmpFilesize
32KB
-
memory/1040-197-0x0000000000660000-0x000000000066A000-memory.dmpFilesize
40KB
-
memory/1040-198-0x00000000025D0000-0x0000000002626000-memory.dmpFilesize
344KB
-
memory/1040-199-0x00000000022B0000-0x00000000022BC000-memory.dmpFilesize
48KB
-
memory/1040-200-0x00000000022E0000-0x00000000022EC000-memory.dmpFilesize
48KB
-
memory/1040-187-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/1040-202-0x0000000002400000-0x0000000002412000-memory.dmpFilesize
72KB
-
memory/1040-204-0x0000000002620000-0x000000000262C000-memory.dmpFilesize
48KB
-
memory/1040-203-0x0000000002430000-0x0000000002438000-memory.dmpFilesize
32KB
-
memory/1040-205-0x0000000002630000-0x0000000002638000-memory.dmpFilesize
32KB
-
memory/1040-206-0x0000000002690000-0x000000000269C000-memory.dmpFilesize
48KB
-
memory/1040-207-0x000000001AC00000-0x000000001AC08000-memory.dmpFilesize
32KB
-
memory/1040-208-0x000000001AC10000-0x000000001AC1C000-memory.dmpFilesize
48KB
-
memory/1040-209-0x000000001AC20000-0x000000001AC2E000-memory.dmpFilesize
56KB
-
memory/1040-210-0x000000001AC30000-0x000000001AC38000-memory.dmpFilesize
32KB
-
memory/1040-211-0x000000001AC40000-0x000000001AC48000-memory.dmpFilesize
32KB
-
memory/1040-213-0x000000001AC60000-0x000000001AC6A000-memory.dmpFilesize
40KB
-
memory/1040-212-0x000000001AC50000-0x000000001AC58000-memory.dmpFilesize
32KB
-
memory/1040-214-0x000000001AC70000-0x000000001AC7C000-memory.dmpFilesize
48KB
-
memory/1688-158-0x00000000009B0000-0x00000000009BA000-memory.dmpFilesize
40KB
-
memory/2144-149-0x000007FEF6510000-0x000007FEF6BD5000-memory.dmpFilesize
6.8MB