Analysis

  • max time kernel
    139s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 17:09

General

  • Target

    Dox_tool.exe

  • Size

    1.7MB

  • MD5

    276b2bfee53d4a1bd9b6ea4d2f1b7dda

  • SHA1

    675296357dee37115c193e31fac2de25964f5270

  • SHA256

    d9f6c68201892bafc05114797bcfe7d38d14e0d33604fa2b987cd9fb10b0606f

  • SHA512

    58f68ce2fa13fd24bc9d93439560d55fc1121eb2ed949f4b9cbcf6aaaf9363ed55803f1a3714c1a171c2b9c7311aae23867624ea8e0987f3108f0a14199324c3

  • SSDEEP

    24576:U2G/nvxW3Ww0tlRnL691WiZw7xxf2sOQY6/8YHz4m5LG+sn501TW4l/KXFUO9RZQ:UbA30lBL6e7Xjc4euy4l/KXFU6Ih9

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webhostDll\fNHZv.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webhostDll\0290EbjbBDdweKiQhFfH.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\webhostDll\hyperAgent.exe
          "C:\webhostDll\hyperAgent.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4584
          • C:\Recovery\WindowsRE\lsass.exe
            "C:\Recovery\WindowsRE\lsass.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2944
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TrustedInstaller.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TrustedInstaller.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TrustedInstaller.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:60
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\hyperAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\hyperAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\hyperAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\webhostDll\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\webhostDll\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\webhostDll\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\webhostDll\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\webhostDll\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\webhostDll\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\hyperAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgent" /f
      1⤵
      • Process spawned unexpected child process
      PID:932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgenth" /f
      1⤵
      • Process spawned unexpected child process
      PID:1500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "RuntimeBroker" /f
      1⤵
      • Process spawned unexpected child process
      PID:672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "RuntimeBrokerR" /f
      1⤵
      • Process spawned unexpected child process
      PID:912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "conhost" /f
      1⤵
      • Process spawned unexpected child process
      PID:4348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "conhostc" /f
      1⤵
      • Process spawned unexpected child process
      PID:3764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "TrustedInstaller" /f
      1⤵
      • Process spawned unexpected child process
      PID:1232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "TrustedInstallerT" /f
      1⤵
      • Process spawned unexpected child process
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "Idle" /f
      1⤵
      • Process spawned unexpected child process
      PID:5000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "IdleI" /f
      1⤵
      • Process spawned unexpected child process
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "SppExtComObj" /f
      1⤵
      • Process spawned unexpected child process
      PID:3372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "SppExtComObjS" /f
      1⤵
      • Process spawned unexpected child process
      PID:4508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgent" /f
      1⤵
      • Process spawned unexpected child process
      PID:4880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgenth" /f
      1⤵
      • Process spawned unexpected child process
      PID:3044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "dllhost" /f
      1⤵
      • Process spawned unexpected child process
      PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "dllhostd" /f
      1⤵
      • Process spawned unexpected child process
      PID:4972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "lsass" /f
      1⤵
      • Process spawned unexpected child process
      PID:4004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "lsassl" /f
      1⤵
      • Process spawned unexpected child process
      PID:3300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgent" /f
      1⤵
      • Process spawned unexpected child process
      PID:1840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "hyperAgenth" /f
      1⤵
        PID:1240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /delete /tn "Registry" /f
        1⤵
          PID:828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "RegistryR" /f
          1⤵
            PID:4816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /delete /tn "hyperAgent" /f
            1⤵
              PID:1368
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /delete /tn "hyperAgenth" /f
              1⤵
                PID:4244
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /delete /tn "wininit" /f
                1⤵
                  PID:1472
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /delete /tn "wininitw" /f
                  1⤵
                    PID:2336
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "taskhostw" /f
                    1⤵
                      PID:2828
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /delete /tn "taskhostwt" /f
                      1⤵
                        PID:3924
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /delete /tn "RuntimeBroker" /f
                        1⤵
                          PID:1064
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /delete /tn "RuntimeBrokerR" /f
                          1⤵
                            PID:1856
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /delete /tn "hyperAgent" /f
                            1⤵
                              PID:4916
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /delete /tn "hyperAgenth" /f
                              1⤵
                                PID:4584
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /delete /tn "lsass" /f
                                1⤵
                                  PID:4140
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /delete /tn "lsassl" /f
                                  1⤵
                                    PID:416

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files (x86)\Google\Temp\56085415360792

                                    Filesize

                                    275B

                                    MD5

                                    b2023745e2b7771c8a635559a17a26d1

                                    SHA1

                                    77617b615f40613275da071c5974e7ae0777df5e

                                    SHA256

                                    bdf22c1c87e59e9ae220f93aaca28677810c4048f3644558650d32ba69351870

                                    SHA512

                                    5cd1f326269ed3bc65dd204e90a02c83ba3ffd19daad47f572c23337c0bc9aaec6f29dacacb7ec1d7dbcfb24050d3dfee16d13d2c22c4392482eafc03f7d45f7

                                  • C:\Program Files (x86)\Internet Explorer\images\7e69c1eea28139

                                    Filesize

                                    403B

                                    MD5

                                    38d7ac2a0601becec7f6cc7d07d29c43

                                    SHA1

                                    519065b295a0deb2f08defb074ccfb2c4640dbbc

                                    SHA256

                                    418aff7bc77e02c61c2df688fb6cfc81271c194f6767ca064e4d188f4d941c37

                                    SHA512

                                    ae3b41e50a25103e8995e45d2fe9c8fec248e3a395e20b5415ea986a712c007209e5566d7dc7dbcf2600082aa7e1a7e800b99745dc0b3e1eca8ba348b1f60f95

                                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\04c1e7795967e4

                                    Filesize

                                    118B

                                    MD5

                                    5ef801fd25fd8c39b11d5b96ed8134be

                                    SHA1

                                    2b9b760ac8e83fda86d3f034b7bb00146bb43eb5

                                    SHA256

                                    23fe85ee21f7dbc83047bece176c5ec8df244ab9391d3007fd4eaec45317dd34

                                    SHA512

                                    69a97db9a1ffe2484f034081845a4619f524adb616d7b72200d9893fce54e6a0db56e7cdcc4e64ae5e6555e4d5f5167819e1bda9af262fa1727169f88e116338

                                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\7e69c1eea28139

                                    Filesize

                                    365B

                                    MD5

                                    a6306d1cdae0bbd16e7b77321683c2d3

                                    SHA1

                                    b3808795c967c820ff2de3afb59aa2bd8ff023ad

                                    SHA256

                                    b0beb6a4ddbaa96106a33d877ffd5abd2f9514999784f5a7a391489d3fd65d1b

                                    SHA512

                                    94974468fd48265dd992ae829208ab31a030d0caca316bdda12f722ba53a239d80c3a56b363893bfeccac2b0fde25f5cf442fe5e28e39f23b09b301ef97e939b

                                  • C:\Program Files\Java\jdk-1.8\lib\ee2ad38f3d4382

                                    Filesize

                                    528B

                                    MD5

                                    229e6b3e2836a5b34b0dfd0f87b15fdb

                                    SHA1

                                    176701589929bc13505944eba1c6c4bf85961459

                                    SHA256

                                    a5a045227bcb85bcaa3df34491e3a78f7cb5e3432b0272845396c26911a2d1a0

                                    SHA512

                                    9536a662d0d92d1776340f182b7932b8d49ae0a4b445e8fea244badb8d3fb1bd6d7dc643a05a1345eeeaf5eef644b2ec596f475314536bf6bb1a02dbf297f53b

                                  • C:\Program Files\Uninstall Information\7e69c1eea28139

                                    Filesize

                                    774B

                                    MD5

                                    80919e2ea0622ff0d2f4a8dd1050165c

                                    SHA1

                                    af38f3e5f788569c14b903ed49029c86f4fce543

                                    SHA256

                                    570b05c6cae5318e407897339c01db0b014c04e92670267540f34a29fa5dddc4

                                    SHA512

                                    a3f8d61d753c86292fd14478d77e441848133c1f16e1a4838160c484a401f83e4fdcbf1ebfb6fe0eccc4c8eb6fdd2e9764770bff83c5f40a744abbdd3a9fedac

                                  • C:\Program Files\Windows Defender\it-IT\088424020bedd6

                                    Filesize

                                    480B

                                    MD5

                                    687625500852dc66b657410a55a8601d

                                    SHA1

                                    f0df534a1a0f5241915542aa6153b51c3a9b5b01

                                    SHA256

                                    02a91ccc6e68510f0bb88dd33e53a50585b5c2a856919ce1d2b7a62767edf696

                                    SHA512

                                    286281bdc326913866aa64ad35da24127892526b71793110883e906f3821e4b396f7f8d25687862e3084c74577d0d7766d6c1d583da3d02c47fed70f4b41ec92

                                  • C:\Recovery\WindowsRE\6203df4a6bafc7

                                    Filesize

                                    521B

                                    MD5

                                    84ff692efff1c73a4f2d65a0012bb282

                                    SHA1

                                    fe0e79d3285416a40d7ae32cd184c2e7c6427f1d

                                    SHA256

                                    2b2b5b67901659d86a94bb67ed3be3283d6b72e282de02a37b551860eba2b0b2

                                    SHA512

                                    6affe41e93627b9e565908272b365d1de7ae382372d74dfabfcb2df6e8bdf557be421ac366e80eea3f7ca1ca1c3a37226ece8c8c37a1f4a340b34ee5cf86752e

                                  • C:\Recovery\WindowsRE\6ccacd8608530f

                                    Filesize

                                    563B

                                    MD5

                                    e2a1fe92ee9b04222dc988e2552c1807

                                    SHA1

                                    4a785ecf676f4ff837f16b7074ffb41df9387427

                                    SHA256

                                    5bda732293b83cdc3c28fbf538d14e3c3b6c8df0065443b7f7d756b1653b9b89

                                    SHA512

                                    9a4a1076d5f1af10dddcdf5035e19fb8d79965968d76283881df9c53f0e7d4a53ab6bc75c17a8252644e658fa8fac3f2498a8dd80627502d5eae16d1cc407b39

                                  • C:\Recovery\WindowsRE\7e69c1eea28139

                                    Filesize

                                    632B

                                    MD5

                                    f66f6c21fb9cc03f4c8d373c5978692e

                                    SHA1

                                    df63f7a360c335bd0c94c392048e2c4780a4cc8e

                                    SHA256

                                    e2773ad4c331f1397c8654a3f8f87c00237d04ee1bd9875b7596d2a30bad4ca3

                                    SHA512

                                    0ab0af15d2d6c72a42d1062e784b61ca732aa5ad633241cd31e56b8ee97f49cb5e7edaade52ebdc34596471fd284f751da06893e8ef7efbc3318d4d22679163a

                                  • C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

                                    Filesize

                                    253B

                                    MD5

                                    1aeb049daa34dc3968e19f1d02b511f3

                                    SHA1

                                    0877cb3a6ef86fe43059f3e7359d7a2a95e4b7ed

                                    SHA256

                                    8c9ab155a2465b927acbc44835a316a0ada2436773d0f6c786b584ebe32fc25d

                                    SHA512

                                    ae1bc8e38a723706640c4c8a1d62ad903c31d9edf030f9ec389e10840cd19c28e497b192c9ee708e18d7483265c04c68ab79705de0325e464fed582899df1f0f

                                  • C:\Users\All Users\e1ef82546f0b02

                                    Filesize

                                    688B

                                    MD5

                                    6ed1deaf2ab651c86427a27ee3e2385f

                                    SHA1

                                    fb59db535010b79998cd785859d3f42761623ebf

                                    SHA256

                                    b3915393871bc81dd7c0fa4a099d693d1f072b7bb5a5de128756dda996db6950

                                    SHA512

                                    0238b14b77a46623ee2168a7d0d83b02c7ad1fd1b33de334cd066f27cf3a95a292116094c15e3adc4e7ac65728262bcd25870e5361e974d64e84f8e91cde5fb9

                                  • C:\Users\Public\5940a34987c991

                                    Filesize

                                    164B

                                    MD5

                                    3559530be2818bca295c6b0e3d30f73c

                                    SHA1

                                    7f58e7fbb4d7c5de2983e3c3362062d93c698967

                                    SHA256

                                    948a8ec1e75d35812657220d7893e481fcd3f245201e0ce21d2f0b769fd43044

                                    SHA512

                                    093b74b6881a964d6bfb0b8a3b8e4423bdfa805021e37fbb2eb02fb44dc242e71dd5f4e28cf3a02789e0a604c9864b82654f0fa7eb29118dc63738845800b557

                                  • C:\Windows\Offline Web Pages\9e8d7a4ca61bd9

                                    Filesize

                                    648B

                                    MD5

                                    95e50891fbbef0828b4299acf39b8704

                                    SHA1

                                    33513fe04a124f2d212b7558974eb6dc4f9cce58

                                    SHA256

                                    ef4c31e3ab31a9b159e64f8aff8521827ca6527bd679f171a224abe4d2c42ff5

                                    SHA512

                                    d7f7308130a4aaa8bd9aaf7388e4cb2828602d776f34a3c2de45044d1696afe5177de62390cf28c0dda1d8b2009780a80a61760a0dbf8af8ac17ee5d6df2541a

                                  • C:\webhostDll\0290EbjbBDdweKiQhFfH.bat

                                    Filesize

                                    30B

                                    MD5

                                    810733c00786845997b0aae47ea1fa35

                                    SHA1

                                    5397cadacb69da27c8720564529b79c4626f3191

                                    SHA256

                                    48fa19bdbe1aea2041d907aa0fbd832efca4b1c0f809e594bf35d4f48c2940f5

                                    SHA512

                                    77f0c9db49bce933c2f7c4293352a0626f2997fa417043e10e50f9b6c40fea5e744eb03e7d8850cbff34c1bf3e05f8c3b3637c632ce0c878bd61b7dfb3f6fe1d

                                  • C:\webhostDll\9e8d7a4ca61bd9

                                    Filesize

                                    111B

                                    MD5

                                    5ef51ed7e2ba5583cfc8ce493b61f1db

                                    SHA1

                                    097e011e5a85e16f3fca7b98ecb58ae9c899198f

                                    SHA256

                                    ca4e6309188a76d3fd677cb07c8f9dd5b087f97e9e29c502a7c49c7102deab80

                                    SHA512

                                    e4a46857d5ffc517efc8c5f3c9ce92ee759555c6523b9802d9637566de7861f09df123239bb53c9a9b0a7a1946ed1c54b867301647ade9a4cc36e04083d24b94

                                  • C:\webhostDll\ea9f0e6c9e2dcd

                                    Filesize

                                    256B

                                    MD5

                                    e30d9273cca34eb3ab067c11e3de8d06

                                    SHA1

                                    e193aa7152610380da9c6bfdab7a9a17797042bf

                                    SHA256

                                    c4082485e81b12047c8c749223c8e7255551395ac1bb994bb7b7c58815b3d8b6

                                    SHA512

                                    5286eed5024e770bccae7537b7cd27a82ac815dbb2e0bd257f1110f6e8530da863ddf20e8d22488f46497498cc5466b23061b382ed3ebdf72ddda10405cc64d0

                                  • C:\webhostDll\fNHZv.vbe

                                    Filesize

                                    207B

                                    MD5

                                    cc0d1e3fc198a8e30655575eb2fc1013

                                    SHA1

                                    2adc5a011ec323cfedc33b33e9939befa69ae8fc

                                    SHA256

                                    50505261daaf6ed3d589b87313bd71b4fdc0786a9645ef2c684e2a9e3680cff3

                                    SHA512

                                    0e4f49fd4cce7ae8594733bc7b492ea5ed1b94aeee9af7f9e170e570c93e50c0cd84d2f350cf612d0fdd7adfdc31fadb8fc039b8ff5d1f92ece227fd124b8416

                                  • C:\webhostDll\hyperAgent.exe

                                    Filesize

                                    1.4MB

                                    MD5

                                    741ed82d8e221881bfdddfce745bb615

                                    SHA1

                                    b8c6122c5403419d2558550a46e6f8735117256b

                                    SHA256

                                    a9c733108faf9fde17095aa2ff04ac2af0c993c7845e964af6e943cd4230e86b

                                    SHA512

                                    5e9706608893a74405b24c34f9248acf3584a2a09fea1dd64d9a5e9ebc3a6721dafbd4fb2a524a09a76589eadf91bb2510ee37e3678bf9b9f8f417e2b94fda2b

                                  • memory/3748-64-0x000000001E2D0000-0x000000001E7F8000-memory.dmp

                                    Filesize

                                    5.2MB

                                  • memory/3748-63-0x000000001D7D0000-0x000000001D992000-memory.dmp

                                    Filesize

                                    1.8MB

                                  • memory/4584-21-0x000000001B780000-0x000000001B78C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4584-20-0x000000001B770000-0x000000001B77A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/4584-19-0x0000000002F90000-0x0000000002F9E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/4584-18-0x0000000002F80000-0x0000000002F90000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/4584-17-0x0000000002F60000-0x0000000002F76000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/4584-16-0x000000001B7C0000-0x000000001B810000-memory.dmp

                                    Filesize

                                    320KB

                                  • memory/4584-15-0x0000000002F40000-0x0000000002F5C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/4584-14-0x0000000002F30000-0x0000000002F3E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/4584-13-0x0000000000A90000-0x0000000000C00000-memory.dmp

                                    Filesize

                                    1.4MB

                                  • memory/4584-12-0x00007FFD40743000-0x00007FFD40745000-memory.dmp

                                    Filesize

                                    8KB