Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30/06/2024, 07:13
General
-
Target
SolaraB/Solara/SolaraBootstrapper.exe
-
Size
3.6MB
-
MD5
1084103f4bd706bf885d41afea903c6d
-
SHA1
13d1b69e8d5beb8da4a7064dba7d170d1a038659
-
SHA256
a79d06166220bed4b1f1db64c211e0b8ae442d053ad3428cb7bc4a802bcb0c18
-
SHA512
9affc2ce5813e810d686bd5f4faf70e3b4062a07da470ce8ea1214b11b078fd4c41a8c59bd49bb64505ac209b3bb91ed32ee49e8cc69617178701e6ed8390ff4
-
SSDEEP
98304:ZqwBaxdtHuWZIJ0iDZkTBo2UYndDXJzATh:Zqw0xdtHutJ08uTBZUYnpQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 18 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 5 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 13 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Drops file in System32 directory 11 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeChainsvc\ynBPrYHpb0rGVZHVTyIGwU9XZ.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeChainsvc\nDhZWkZlJyEO.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\bridgeChainsvc\bridgebrowserFont.exe"C:\bridgeChainsvc\bridgebrowserFont.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TQCIBmL527.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13df84e-abd8-435a-80b2-067ec8c16492.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8218a83b-2988-4f7e-b0a9-091c7c7601ce.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5457a3b6-11f7-4aff-9a1b-deeca8d7ccf4.vbs"10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35b61c7-f095-4b3a-98a8-3c3c907f02ed.vbs"8⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef732983-4cf3-44fb-ae2c-3f78f9d56828.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a8ff88-15e2-43a7-92a8-67387157f4ac.vbs"12⤵
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4fee81-79a5-47e3-bd4d-5f165f1e0f2e.vbs"14⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9070fd1-e6e5-41cc-848e-45bae0ca6d78.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a7fe9-dbb2-48eb-a0f8-96911f97ad45.vbs"12⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65bcc87-431a-4f9f-a16f-97537da1f799.vbs"10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ConvertUpdate.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
711B
MD55471f73c6c2b50c48d60354989750557
SHA164ad1a391e3e6ee25e4a025401447f0860b31f58
SHA2562c6cd55dc17c2e0497026a3dbde4706ec59396eaed909953d62f689e0e63d232
SHA5122d5b02755b53cb190854b8cded2168625d7954b572dce0c636257a8210cb8a3d0c1394e6fc4ed47e45daaf9472d213c779b96c62f1f41e7b2eeb849bc5661b64
-
Filesize
711B
MD548761047e736ccf9f9348beba25f16d6
SHA1fcb595d6bbcc2506b9eec9e76c6e22fde202f89f
SHA256fbd88ad24b723decf2250c003535c75c6745a92dc27394c5c3cd0885e53842c3
SHA512aa26786e764d69d8d2c397178ba2b456771d6190463c44a669319a66786e4dbc282c0c29bc49466d67775462439eea4cf9f2fd8203f4499a953016a02c5ad395
-
Filesize
711B
MD5412020e434bfaf49090f75df5d563290
SHA1181448ec97b5d621560913376aa662e44499222a
SHA256cc43433000044c32712e20d252ececa798d0b3a367eeed8bb1d87d1980d23144
SHA5127ee7b6a5d1d6b3a9b04e9a603ee874d7719b4f3f7fd0e525248cf4e92e1235e2bdd0536e20c80c1a5b5c8291bc1ae2cdb8d7f308adaf04d1a55312cb85882abf
-
Filesize
3.8MB
MD5ac7ea6f1952a9c6ffded545097f283e2
SHA11fb8cc03c0f6492ada6d85efc02050bff041398a
SHA2561b11cc0e9e5b2805295211c1511687fb909c349bcfe5b98a705dd18820b89704
SHA512964c000d6ad3e7a74ca1123e230bb4ce79b19cacb6195b8728d791081ca6fd2ac0b483ed0ccee7e43fa19a566de6943f88a8274946eb4f795a33f4a622a586ef
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
37KB
MD54cf94ffa50fd9bdc0bb93cceaede0629
SHA13e30eca720f4c2a708ec53fd7f1ba9e778b4f95f
SHA25650b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6
SHA512dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
34B
MD50e2184f1c7464b6617329fb18f107b4f
SHA16f22f98471e33c9db10d6f6f1728e98852e25b8f
SHA256dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb
SHA5128e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37
-
Filesize
4.2MB
MD5f71b342220b8f8935abe5ea0b1e5f30c
SHA1a70d41dbc456d548e790af717575b1f83e3f38b5
SHA256dec8c51c89452b183201e58e4cfceffb0924c4c1f7729841a739086711ff021f
SHA512d6ba2d0eecb2bd70ea727c7bd86cce75fe535e4a7688eb6fc6334e30f568d24d0b6661b8873ddb88c1bb75dbf772fae215b101545ff85e6461a2b05b85dfe05f
-
Filesize
90KB
MD5d84e7f79f4f0d7074802d2d6e6f3579e
SHA1494937256229ef022ff05855c3d410ac3e7df721
SHA256dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227
SHA512ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
Filesize
200B
MD5b3b5ed925c7ecd79002f3dd29f0e01f1
SHA1c951817da294b42acfa76c4d3a558df2ac55e089
SHA2563de6992dd5afb5aa98e9f7cc79af034d00e18ce295d972f036dad548ea8ba9ab
SHA512315f1ac2169b40332b417494d5cbb3f535b7c219aefef19b42abce83c370a51796168808ea309881a449dc81017b6130f25c3639c926e496b2a8b2779fba5c5d
-
Filesize
487B
MD54ce81cc859b3b25c344b6825a7dbce12
SHA11940e75e511d2326daf042c936022f758b5964f0
SHA256585155355da6bc3f2d0830fa5b6fc118d82027a6f58fa42dcc64ff79b93fe949
SHA51203f79305a14c1019dbb350ca5a8fbf9141fc2555450b9a411bbe1f182f0b7900c2128cfd294034b4de6d8e6f303913083e1e17d94771f921cce14bc969b6b8ec
-
Filesize
711B
MD50f5893f7246fe44be025c9cc75181a7e
SHA1dad989a1277b0755c0df10fab98ac86dd08ca1ab
SHA256fa1584a7385bb0588750cd110af9c1e272b10b737744484e2b3d9edfcce347ab
SHA512a9da85deb0dd69ad7ffbc0c2df78dac67bb3752f85fc21250fc944b4590cb94408f61ec180756bcfc33085a02667a957c6fd2ad8527ad5c51bcdbfddcb52d14e
-
Filesize
711B
MD5bdbd524e40e955ee5bbec1b327d796b9
SHA1361298b120e999cfeefffdc11d4c97bc7253a5af
SHA2562df74e9513f4a9a584005c752f2645f5c7006f477d0ad7da5ccbdc52834df086
SHA51253ac7721c33de1831a4d1557d2291fa357cc2be9f418a9d6d6a3ccd6a9fcad8be420a236175349126c3a57dee2b4b15a5bf57a6683dff1394369182ab6bc9d6b
-
Filesize
200B
MD59d916e08116f4974b147e2bf334905c3
SHA1cada6e5bb84a60679b90d28eb5cc50ade1c4d3b8
SHA256211222d82217c76ddf8ccc3d41a3efce1415c90d9e0d0680cd6d3dc5a5a6c6dd
SHA51243cd986ee69c5ec42ca492fc8487af264e199de6b1cf9d439cf3ebcbc52739f6e6b3fb0bf252cc757b4e573045d213e2cf18c82e1889ca363ac254c0a3484eb5
-
Filesize
200B
MD5423a749790ca69e98ca385ae0478073a
SHA17436de94b38a3958b0bc6550ebf9f1d92103f498
SHA25683cb7230328b7792258678a48cd65c92261e1cc66c12e1bce100c2b49f932d76
SHA5128b3f5d804b1e9895f034476fad322f5baf67681bcb3215abe2d712320e94e7dfdde523fe49fede410e4aba5dfdc96b756180426f156c1583ed47c9329805a261
-
Filesize
200B
MD5080b1c08eb3d3e3c2d181e36e5b2a5aa
SHA1198319923426003ac51f1702a642debd4285b635
SHA2568f5ed1595f5cfd012cc0ca404e348b6f260eafb900b03c2277d7d764d2ca296d
SHA512fd583d29136df07780ef1ddcbd35aba8dfe90232611440f0298c55261d4fc570a2eac1d5d47b747234ba11b4fa791e8cc784353b00d59eaf2a122f3af7437084
-
Filesize
200B
MD54ddb953176a81eb25406bc0899918baa
SHA1a0121fc7f9468bc2549d73c0fd01be679400b2a1
SHA256b16b1a8cf7be570d1fd56fd7e2bce1f0567b22a10aa99d8cf2fbbc88627be989
SHA512385e1d0d6ff585676dcecf5152e5ccc0da169cbe4ba92ee514121ecf1e7fce557c94783e44167933ff6d3907360f8198d659477b4a82119ede83a24829666a10
-
Filesize
3.5MB
MD5465620a95a01b3dec2415522ec5177a8
SHA154318e9baafead2d79d33b1486f7cd766dae4574
SHA256765d071ffdca507a3d8d95077b36133051bc0177b9928cc02daddc3bd216cea3
SHA5129ba068ddc64c7eb15eedf628eba23196ccf6a11efc1ee13de95a29477820509beff96a49c2d92207f0501f66f1bc413955e2de48bc12d81b57fa70c5bc27de27
-
Filesize
41B
MD54061dbe3e62277593371c237a23a7d47
SHA18a5cedfa5f14dfb48d037b0aaf8b2985113b7d8e
SHA256d80ee6aed5b1fab9709e19cfa35c071859ce80f58021d4389b0a751e6f78dd22
SHA512cb16bfa29fe059d1d771c53bd7e3e24ecebb38044b8642ac043e052843e46c27ec3988c8a6b7ecae65b8095a33de35009512514f48762ff2bc23cbef396605cf
-
Filesize
203B
MD5b8859a57b36802480a471ea20554a2f5
SHA10296f757bf7e952d7bff605bd2e0237bb13ecb59
SHA256c30fc00d5cc6a249fa1e8179d06a8aa4c278936c8f6d8bc6ac17ad8b0a019d16
SHA512084f06faf410869285161912ac77ab29b62a7ebfa777d2cf5c3bf51252dc875f93c847b56a22cf02ffcacff878516cad2a5869954153474d5da1e2c3d37d5b8b
-
Filesize
72KB
-
Filesize
744KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
11.1MB
-
Filesize
504KB
-
Filesize
11.1MB
-
Filesize
104KB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
3.5MB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
344KB